{"id":"ASB-A-291281168","details":"In multiple locations, there is a possible out of bounds write due to a use after free. This could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-291281168","CVE-2025-0084"],"modified":"2026-04-10T16:16:18.068628Z","published":"2025-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/94c565214e3496fbaade9efed8be41d6425ba21e"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-03-01"}]}],"versions":["15-next"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0a9516473b961ec87dd404e7ec7ec08878863007","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"threshold":0.9,"line_hashes":["335368174811882274076803387340832741725","255031183291357723729392712308822489280","89229534733456882219803669197240033416","150124077756793490750368150011669814184"]},"id":"ASB-A-291281168-4029bdf3","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0a9516473b961ec87dd404e7ec7ec08878863007","target":{"function":"bta_hf_client_do_disc","file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"function_hash":"55358988029788956911272662740912552981","length":1278},"id":"ASB-A-291281168-666a0eb2","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0a9516473b961ec87dd404e7ec7ec08878863007","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"threshold":0.9,"line_hashes":["254894881002214492044306048939760605142","159748619053514283753669561004036297346","25363138603644386313863572322508944179","269601458157509761513275739540777980366"]},"id":"ASB-A-291281168-70630a8d","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0a9516473b961ec87dd404e7ec7ec08878863007","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"function_hash":"310920496597318753910233274266619904423","length":3344},"id":"ASB-A-291281168-d92a4ec3","deprecated":false,"signature_version":"v1","signature_type":"Function"}],"severity":"Critical","spl":"2025-03-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0a9516473b961ec87dd404e7ec7ec08878863007"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291281168.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-03-01"}]}],"versions":["15"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/27d31199637cbb1b322c8e85195fdaf2bee31da7","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"threshold":0.9,"line_hashes":["159748619053514283753669561004036297346","25363138603644386313863572322508944179","244994858623867397024298003931058285424"]},"id":"ASB-A-291281168-29939421","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/27d31199637cbb1b322c8e85195fdaf2bee31da7","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"threshold":0.9,"line_hashes":["255031183291357723729392712308822489280","89229534733456882219803669197240033416","150124077756793490750368150011669814184"]},"id":"ASB-A-291281168-70af9f2d","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/27d31199637cbb1b322c8e85195fdaf2bee31da7","target":{"function":"bta_hf_client_do_disc","file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"function_hash":"55358988029788956911272662740912552981","length":1278},"id":"ASB-A-291281168-89deb657","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/27d31199637cbb1b322c8e85195fdaf2bee31da7","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"function_hash":"48886429007938031076324531841910728667","length":3316},"id":"ASB-A-291281168-ab5abc09","deprecated":false,"signature_version":"v1","signature_type":"Function"}],"severity":"Critical","spl":"2025-03-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/27d31199637cbb1b322c8e85195fdaf2bee31da7"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291281168.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-03-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"function":"bta_hf_client_do_disc","file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"function_hash":"175959268000196746124901177656112188651","length":1081},"id":"ASB-A-291281168-096e6068","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"threshold":0.9,"line_hashes":["255031183291357723729392712308822489280","89229534733456882219803669197240033416","150124077756793490750368150011669814184"]},"id":"ASB-A-291281168-be977787","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"threshold":0.9,"line_hashes":["159748619053514283753669561004036297346","129468403904434157000099795095811556475","210707820905137651020899590730257068989"]},"id":"ASB-A-291281168-d3e11696","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"function_hash":"50964962791788962943241798313227745602","length":3308},"id":"ASB-A-291281168-d68af113","deprecated":false,"signature_version":"v1","signature_type":"Function"}],"severity":"Critical","spl":"2025-03-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291281168.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-03-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"function_hash":"50964962791788962943241798313227745602","length":3308},"id":"ASB-A-291281168-3cb58af0","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"function":"bta_hf_client_do_disc","file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"function_hash":"175959268000196746124901177656112188651","length":1081},"id":"ASB-A-291281168-7d162416","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"digest":{"threshold":0.9,"line_hashes":["159748619053514283753669561004036297346","129468403904434157000099795095811556475","210707820905137651020899590730257068989"]},"id":"ASB-A-291281168-95a4e7e0","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"digest":{"threshold":0.9,"line_hashes":["255031183291357723729392712308822489280","89229534733456882219803669197240033416","150124077756793490750368150011669814184"]},"id":"ASB-A-291281168-a484a4bd","deprecated":false,"signature_version":"v1","signature_type":"Line"}],"severity":"Critical","spl":"2025-03-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/316bf3f262031ccd03dc4269a1b437a8b561beea"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291281168.json"}}],"schema_version":"1.7.5"}