{"id":"ASB-A-274617156","details":"In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-274617156","CVE-2023-35658"],"modified":"2026-05-26T15:46:26.044149249Z","published":"2023-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d03a3020de69143b1fe8129d75e55f14951dd192"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-09-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-09-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c","https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2dea9ee94cb226e1d4512605ecd3eb6c10a23469"],"vanir_signatures":[{"signature_type":"Function","target":{"function":"gatt_process_prep_write_rsp","file":"system/stack/gatt/gatt_cl.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c","digest":{"length":888,"function_hash":"327308509473520656259748089261658192523"},"deprecated":false,"signature_version":"v1","id":"ASB-A-274617156-c2458c64"},{"id":"ASB-A-274617156-e2d14812","target":{"file":"system/stack/gatt/gatt_cl.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c","digest":{"line_hashes":["318440185895434637676380588862911382286","13514835453571790780077099379225445734","28648695534725913265346600049273226947","145670385113418970428262088660637920665","277598990240879637461296365000270535121","67207769955544220583744134133328629092","166843589009004638375159620055223363904","263351727945242443198419910108234088999"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line"}],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274617156.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-09-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-09-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5"],"vanir_signatures":[{"id":"ASB-A-274617156-13263728","target":{"file":"system/stack/gatt/gatt_cl.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5","digest":{"line_hashes":["318440185895434637676380588862911382286","13514835453571790780077099379225445734","28648695534725913265346600049273226947","145670385113418970428262088660637920665","277598990240879637461296365000270535121","67207769955544220583744134133328629092","166843589009004638375159620055223363904","263351727945242443198419910108234088999"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line"},{"id":"ASB-A-274617156-c53db921","target":{"function":"gatt_process_prep_write_rsp","file":"system/stack/gatt/gatt_cl.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5","digest":{"length":888,"function_hash":"327308509473520656259748089261658192523"},"signature_version":"v1","deprecated":false,"signature_type":"Function"}],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274617156.json"}}],"schema_version":"1.7.5"}