{"id":"ASB-A-273966636","details":"In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-273966636","CVE-2023-35673"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2023-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/8770c07c102c7fdc74626dc717acc8f6dd1c92cc"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-09-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000"],"severity":"Critical","vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000","digest":{"length":1856,"function_hash":"240925002555156140249518465647210347099"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-273966636-4055f2f0","deprecated":false,"target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"}},{"signature_type":"Line","digest":{"line_hashes":["2595529555414629676206999964520684550","183504299268696529699332370268148851082","199471212518345456923129245182522694027","252152932270604754934792315083902041917","51554914984240895083286702700298661153","54865752525013115485817960974458127610","138400960017935528663548606489186108685","36679679188416012704038671968509033341","122920067994958519894144405910339995677","262658403677556901038941525980560849440","333165447868284643075011688300903607556","237475983115649658632985560846409519343","13227297075605735205156259313947404717","85253462756822884360816865997710830720"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-273966636-ae4e247b","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000","target":{"file":"system/stack/gatt/gatt_sr.cc"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-273966636.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-09-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a"],"severity":"Critical","vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a","digest":{"function_hash":"240925002555156140249518465647210347099","length":1856},"signature_version":"v1","signature_type":"Function","id":"ASB-A-273966636-9220b9a5","deprecated":false,"target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"}},{"signature_type":"Line","digest":{"line_hashes":["2595529555414629676206999964520684550","183504299268696529699332370268148851082","199471212518345456923129245182522694027","252152932270604754934792315083902041917","51554914984240895083286702700298661153","54865752525013115485817960974458127610","138400960017935528663548606489186108685","36679679188416012704038671968509033341","122920067994958519894144405910339995677","262658403677556901038941525980560849440","333165447868284643075011688300903607556","237475983115649658632985560846409519343","13227297075605735205156259313947404717","85253462756822884360816865997710830720"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-273966636-ebc12258","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a","target":{"file":"system/stack/gatt/gatt_sr.cc"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-273966636.json"}}],"schema_version":"1.7.5"}