{"id":"ASB-A-271335899","details":"In eatt_l2cap_reconfig_completed of eatt_impl.h, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-271335899","CVE-2023-35681"],"modified":"2026-05-01T15:24:27.653932Z","published":"2023-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d8d95291f16a8f18f8ffbd6322c14686897c5730"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-09-01"}]}],"versions":["13-next"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/282d4a182ea6a7d2e6e0f6901d2bc1e75b49e52f","id":"ASB-A-271335899-6bd28875","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["106468571724457935060889431497082031573","224746628071366889996733460199723691463","269050480755408262475493031397919512570","337728979793973427592397871584260474723","64763010061956417951425775569181908724","158595671907601721849330534614287272374","6278613269636320475066097300482403831","139581319459527572518299348002139755630","315204657456236489965325720265591737430","237587774238938777520761873807626246871","326220230029268022540499762400229363028","331151508027849466654896791392215369638","281105754671305560937296257709464800069","242523549094094978786013181756494489007","141190444124508517757142649718561139701","187107218421415198676659012306597618903","270901897684879479235076094318212763996","64899529114296083661267038785523487649"]},"target":{"file":"system/stack/eatt/eatt.h"},"deprecated":true},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/282d4a182ea6a7d2e6e0f6901d2bc1e75b49e52f","id":"ASB-A-271335899-e3a587c6","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["331090966016956691892133144993749040555","270430452053097064486327914452413722223","215904791462145415175955496860471742186","110114905142101222154756594980242415244"]},"target":{"file":"system/stack/eatt/eatt_impl.h"},"deprecated":true}],"spl":"2023-09-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/282d4a182ea6a7d2e6e0f6901d2bc1e75b49e52f"],"severity":"Critical","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271335899.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-09-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ea76b7d99e6366e2043c5621eda630d559104d36","id":"ASB-A-271335899-01df2254","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["127185778877505217522856880614722443576","227903399970572181873772458658748521878","269050480755408262475493031397919512570","337728979793973427592397871584260474723","64763010061956417951425775569181908724","158595671907601721849330534614287272374","6278613269636320475066097300482403831","139581319459527572518299348002139755630","315204657456236489965325720265591737430","181695553486291092354025663372106023032","19792825492311003158346201077218441365","69976667531336986473893372328552399170","282492931964360102608231496086488496313","141190444124508517757142649718561139701","187107218421415198676659012306597618903","270901897684879479235076094318212763996","64899529114296083661267038785523487649"]},"target":{"file":"system/stack/eatt/eatt.h"},"deprecated":true},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ea76b7d99e6366e2043c5621eda630d559104d36","id":"ASB-A-271335899-2d216eb2","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["331090966016956691892133144993749040555","270430452053097064486327914452413722223","319126984992492451713688463304047715388","114311290908469330652899293365584033335"]},"target":{"file":"system/stack/eatt/eatt_impl.h"},"deprecated":true}],"spl":"2023-09-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ea76b7d99e6366e2043c5621eda630d559104d36"],"severity":"Critical","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271335899.json"}}],"schema_version":"1.7.5"}