{"id":"ASB-A-275895309","details":"In transcodeQ*ToFloat of btif_avrcp_audio_track.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-275895309","CVE-2023-40087"],"modified":"2026-05-01T15:24:27.653932Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/243fdf1c0d53bda9e829b4bec9f7c2a824b4d3d1"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"id":"ASB-A-275895309-42699483","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ23ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":362,"function_hash":"179409621985045160296351825110415588968"}},{"id":"ASB-A-275895309-6eb4d82a","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"file":"system/btif/test/btif_avrcp_audio_track_test.cc"},"signature_type":"Line","digest":{"line_hashes":["38423773015147842072013134283567083750","174012189830858507863955762077560044532","135633024102966060844116958453338085129","137955535784968096964447016227385160391"],"threshold":0.9}},{"id":"ASB-A-275895309-73b3356e","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ15ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":299,"function_hash":"337201100461407330566560557139231567778"}},{"id":"ASB-A-275895309-a1ff255b","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Line","digest":{"line_hashes":["280300558855275674199073422000799402164","107168998118329345017595707569814065066","18611739428002861618066819872890431536","228166335113269603158773669243040108266","157145627262574148936630890906564492018","242518214498169388595764073932091846869","206974252045441517950773964414720523864","157086730303617775190328394988974882937","155628381518578166635249144154909470906","152605060078863256043911922730161438363","209190599766860934952205247338007455652","36054002484998715192852893344464866982"],"threshold":0.9}},{"id":"ASB-A-275895309-ab56f426","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ31ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":299,"function_hash":"212496003472669476486839688612433944610"}},{"id":"ASB-A-275895309-d3dfec94","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd","signature_version":"v1","deprecated":false,"target":{"function":"TEST_F","file":"system/btif/test/btif_avrcp_audio_track_test.cc"},"signature_type":"Function","digest":{"length":744,"function_hash":"188602126122561855613898982677106130891"}}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd"],"severity":"High","spl":"2023-12-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-275895309.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-12-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"id":"ASB-A-275895309-0ece7682","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ23ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":322,"function_hash":"160839904381245494536719496155209634073"}},{"id":"ASB-A-275895309-44e05d9f","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed","signature_version":"v1","deprecated":false,"target":{"file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Line","digest":{"line_hashes":["191428222968463232427926042594146717576","253598044910384043603403844772757449644","239251536732578059726440347451173289867","40261156309124551414125193428140080670","153947787613562610819393265494878747209","250886031778227828577576943365076577525","253170039393634181199450159638815638941","40261156309124551414125193428140080670","123455794058549669091331259783262013798","323895979791774482031446368656521984397","179063609923396586946554846516084954892","40261156309124551414125193428140080670","149631365881432395763508659892935014388","131032745821785502405149665779159932548","202492912323566500215671768492095917498"],"threshold":0.9}},{"id":"ASB-A-275895309-4eddd102","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ31ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":259,"function_hash":"145723624787213910446231391396063834514"}},{"id":"ASB-A-275895309-7cddce28","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed","signature_version":"v1","deprecated":false,"target":{"function":"transcodeQ15ToFloat","file":"system/btif/src/btif_avrcp_audio_track.cc"},"signature_type":"Function","digest":{"length":259,"function_hash":"67189886256562712738594874091172843917"}}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed"],"severity":"High","spl":"2023-12-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-275895309.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/3d7c7f4c2c514b6a62f827615cb75ba61319b115"],"severity":"High","spl":"2023-12-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-275895309.json"}}],"schema_version":"1.7.5"}