{"id":"ASB-A-297524203","details":"In attp_build_read_by_type_value_cmd of att_protocol.cc , there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-297524203","CVE-2024-0031"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2024-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/de53890aaca2ae08b3ee2d6e3fd25f702fdfa661"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-02-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["299876628178033035521066039470250112637","66215980323574624148898703638828225995","164911121559100800600623551343112518348","310621800890956947085723390071823955823"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc"},"deprecated":false,"id":"ASB-A-297524203-7637ab20","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/140c41e3553bc59fe97e3f5ee96c64e2251971e2"},{"digest":{"length":618,"function_hash":"261655792844519852331158196010007450035"},"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc","function":"attp_build_read_by_type_value_cmd"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/140c41e3553bc59fe97e3f5ee96c64e2251971e2","id":"ASB-A-297524203-ca90aac6","deprecated":false}],"spl":"2024-02-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/140c41e3553bc59fe97e3f5ee96c64e2251971e2"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-297524203.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-02-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["299876628178033035521066039470250112637","66215980323574624148898703638828225995","164911121559100800600623551343112518348","310621800890956947085723390071823955823"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9","id":"ASB-A-297524203-630f6b90","deprecated":false},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc","function":"attp_build_read_by_type_value_cmd"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9","id":"ASB-A-297524203-e7dfe189","digest":{"length":618,"function_hash":"261655792844519852331158196010007450035"}}],"spl":"2024-02-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-297524203.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-02-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9","id":"ASB-A-297524203-27d65bb2","digest":{"line_hashes":["299876628178033035521066039470250112637","66215980323574624148898703638828225995","164911121559100800600623551343112518348","310621800890956947085723390071823955823"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/gatt/att_protocol.cc","function":"attp_build_read_by_type_value_cmd"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9","id":"ASB-A-297524203-29573763","digest":{"length":618,"function_hash":"261655792844519852331158196010007450035"}}],"spl":"2024-02-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e9b40c3dfd81c3fa99b3f115135de7e2c356ece9"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-297524203.json"}}],"schema_version":"1.7.5"}