{"id":"ASB-A-271962784","details":"In avrc_vendor_msg of avrc_opt.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-271962784","CVE-2024-49714"],"modified":"2026-04-03T15:37:31.002635Z","published":"2025-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6b669f231d0faf4658bb3ba6ea7f77d4d4a5e1b1"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-09-01"}]}],"versions":["16-next"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":813,"function_hash":"161964072447301556907021949801306052708"},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc","function":"avrc_vendor_msg"},"id":"ASB-A-271962784-019302b8","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["233173819388143007683002944958412463167","281597275017415760895749258884319544714","222957863068205357447326730381878078511","250779556980860033012007924240257078315","321543060838153475417302785315600971957"]},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc"},"id":"ASB-A-271962784-d308274d","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Line"}],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf"],"types":["EoP"],"spl":"2025-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271962784.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-09-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":813,"function_hash":"161964072447301556907021949801306052708"},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc","function":"avrc_vendor_msg"},"id":"ASB-A-271962784-ae038f9f","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["233173819388143007683002944958412463167","281597275017415760895749258884319544714","222957863068205357447326730381878078511","250779556980860033012007924240257078315","321543060838153475417302785315600971957"]},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc"},"id":"ASB-A-271962784-b403dfc1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Line"}],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf"],"types":["EoP"],"spl":"2025-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271962784.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-09-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":813,"function_hash":"161964072447301556907021949801306052708"},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc","function":"avrc_vendor_msg"},"id":"ASB-A-271962784-44b032d0","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["233173819388143007683002944958412463167","281597275017415760895749258884319544714","222957863068205357447326730381878078511","250779556980860033012007924240257078315","321543060838153475417302785315600971957"]},"deprecated":false,"signature_version":"v1","target":{"file":"system/stack/avrc/avrc_opt.cc"},"id":"ASB-A-271962784-cea561e7","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf","signature_type":"Line"}],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d5de235b461ec83e43a7db513e286d3204c4cedf"],"types":["EoP"],"spl":"2025-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271962784.json"}}],"schema_version":"1.7.5"}