{"id":"ASB-A-273874525","details":"In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-273874525","CVE-2023-40129"],"modified":"2026-04-17T15:55:28.020024Z","published":"2023-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-10-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c0151aa3ba76c785b32c7f9d16c98febe53017b1"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-10-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-10-01","vanir_signatures":[{"target":{"function":"build_read_multi_rsp","file":"stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-84daf640","signature_type":"Function","deprecated":false,"digest":{"length":1957,"function_hash":"36167147116348345863936788657702224124"},"source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed","signature_version":"v1"},{"target":{"file":"stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-850b3746","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["320180208113292607896087960140748321710","185620860055585878484986184931846809734","319420841029342921839194282503417907253","250978578845779696356386414138024276852","318872592807275993100937040753514395656","141269574546360549306461848829328979810","204714876695755523928580335686404439046","183905982059378682327217227057606426163","311954045522797841068282195162869825882","263232450369799039219493308252416876531","400206405204418213502213550468525364","314770545184342246476502425255109428247","307362275633226171916038256427833315124","308895341643965181959918133811250227217","122757879597053200394180763992077422796","67834856507516609453221547184769402811","129943154435575809610568843399508029933","237475983115649658632985560846409519343","13227297075605735205156259313947404717","85253462756822884360816865997710830720","24526966502570633969055920681276582168","325969589060144690288502607002477657459","89081833886852685892140623503777474500","99804003701978462269687672967659361085"],"threshold":0.9},"source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed","signature_version":"v1"}],"types":["RCE"],"severity":"Critical","fixes":["https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-273874525.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-10-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-10-01","vanir_signatures":[{"target":{"function":"build_read_multi_rsp","file":"stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-11fb76c3","signature_type":"Function","deprecated":false,"digest":{"length":1957,"function_hash":"36167147116348345863936788657702224124"},"source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed","signature_version":"v1"},{"target":{"file":"stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-a3859905","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["320180208113292607896087960140748321710","185620860055585878484986184931846809734","319420841029342921839194282503417907253","250978578845779696356386414138024276852","318872592807275993100937040753514395656","141269574546360549306461848829328979810","204714876695755523928580335686404439046","183905982059378682327217227057606426163","311954045522797841068282195162869825882","263232450369799039219493308252416876531","400206405204418213502213550468525364","314770545184342246476502425255109428247","307362275633226171916038256427833315124","308895341643965181959918133811250227217","122757879597053200394180763992077422796","67834856507516609453221547184769402811","129943154435575809610568843399508029933","237475983115649658632985560846409519343","13227297075605735205156259313947404717","85253462756822884360816865997710830720","24526966502570633969055920681276582168","325969589060144690288502607002477657459","89081833886852685892140623503777474500","99804003701978462269687672967659361085"],"threshold":0.9},"source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed","signature_version":"v1"}],"types":["RCE"],"severity":"Critical","fixes":["https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-273874525.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-10-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-10-01","vanir_signatures":[{"target":{"file":"system/stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-0522e5b7","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["301476335257368158159457184534817724226","185620860055585878484986184931846809734","319420841029342921839194282503417907253","250978578845779696356386414138024276852","318872592807275993100937040753514395656","141269574546360549306461848829328979810","204714876695755523928580335686404439046","183905982059378682327217227057606426163","311954045522797841068282195162869825882","80778354735684940648400822243020094520","298240068789696469338359820937952988798","254072070548644218687734592118588744547","290108680486195309810329624003139389789","246147197161009651927417574757144612761","71153663538600734989617062507828621121","263232450369799039219493308252416876531","400206405204418213502213550468525364","314770545184342246476502425255109428247","307362275633226171916038256427833315124","308895341643965181959918133811250227217","122757879597053200394180763992077422796","67834856507516609453221547184769402811","129943154435575809610568843399508029933","237475983115649658632985560846409519343","13227297075605735205156259313947404717","85253462756822884360816865997710830720","24526966502570633969055920681276582168","325969589060144690288502607002477657459","89081833886852685892140623503777474500","99804003701978462269687672967659361085"],"threshold":0.9},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23","signature_version":"v1"},{"target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"},"id":"ASB-A-273874525-16bcc80c","signature_type":"Function","deprecated":false,"digest":{"length":1957,"function_hash":"36167147116348345863936788657702224124"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23","signature_version":"v1"}],"types":["RCE"],"severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-273874525.json"}}],"schema_version":"1.7.5"}