{"id":"ASB-A-291500341","details":"In callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-291500341","CVE-2023-40088"],"modified":"2026-05-19T16:54:37.272608834Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5bfd817719fcf55cbb3476e6b5539a3db4c437fc"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"Critical","spl":"2023-12-01","types":["RCE"],"vanir_signatures":[{"id":"ASB-A-291500341-b825de99","deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"function":"callback_thread_event","file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"length":601,"function_hash":"312362788732837549004324994487428037529"}},{"id":"ASB-A-291500341-e9053a67","deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"line_hashes":["8255340654143878724535396870442594620","36692132903426486391514882143057466613","284954140669885612926274862545155417821","10142301673099568437802249085449144394"],"threshold":0.9}}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291500341.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-12-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["RCE"],"spl":"2023-12-01","severity":"Critical","vanir_signatures":[{"id":"ASB-A-291500341-021233a4","deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"function":"callback_thread_event","file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"length":601,"function_hash":"312362788732837549004324994487428037529"}},{"id":"ASB-A-291500341-25236a74","deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"line_hashes":["8255340654143878724535396870442594620","36692132903426486391514882143057466613","284954140669885612926274862545155417821","10142301673099568437802249085449144394"],"threshold":0.9}}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291500341.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["RCE"],"spl":"2023-12-01","severity":"Critical","vanir_signatures":[{"id":"ASB-A-291500341-77e33724","deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"function":"callback_thread_event","file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"length":601,"function_hash":"312362788732837549004324994487428037529"}},{"id":"ASB-A-291500341-b45a3704","deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff","target":{"file":"android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp"},"digest":{"line_hashes":["8255340654143878724535396870442594620","36692132903426486391514882143057466613","284954140669885612926274862545155417821","10142301673099568437802249085449144394"],"threshold":0.9}}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-291500341.json"}}],"schema_version":"1.7.5"}