{"id":"ASB-A-323850943","details":"In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-323850943","CVE-2024-43096"],"modified":"2026-05-19T16:54:37.272608834Z","published":"2025-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bfe316cf9f026d5b48bcfb2f457685b537baa9a3"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-01-01"}]}],"versions":["15-next"],"ecosystem_specific":{"severity":"Critical","vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cad927034a371b82a4a07a16ec442eb261f6153f","target":{"file":"system/stack/eatt/eatt.h"},"digest":{"line_hashes":["78285213672218947306208345211655983105","183433225229324617196135444544056191152","219600331381263172774379618387353468820","44643297489575056203030606925251196432"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-323850943-1b068b74","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cad927034a371b82a4a07a16ec442eb261f6153f","target":{"file":"system/stack/gatt/gatt_sr.cc"},"digest":{"line_hashes":["28540336744497903520400251666372907305","86831248994667678226772388699402668801","30989956938485687381134677525868900142"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-323850943-727979f1","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cad927034a371b82a4a07a16ec442eb261f6153f","id":"ASB-A-323850943-778d3873","digest":{"function_hash":"189499681506240789787627312582502714293","length":2004},"signature_type":"Function","target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1","deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cad927034a371b82a4a07a16ec442eb261f6153f"],"types":["RCE"],"spl":"2025-01-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2025-01-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/system/bt/+/c177fdbd6189a114239e11e2713740b5a50624e1"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2025-01-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/c177fdbd6189a114239e11e2713740b5a50624e1"],"severity":"Critical","spl":"2025-01-01","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-01-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2b68d81a761d1f92625a5cd29ddb458fcdb46f52"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-01-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48"],"types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"},"digest":{"function_hash":"232795977407513798786932719878707408517","length":2044},"signature_type":"Function","id":"ASB-A-323850943-6a4659a3","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","target":{"file":"system/stack/gatt/gatt_sr.cc"},"digest":{"line_hashes":["28540336744497903520400251666372907305","86831248994667678226772388699402668801","30989956938485687381134677525868900142"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-323850943-912ba8bd","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","id":"ASB-A-323850943-dddab008","digest":{"line_hashes":["78285213672218947306208345211655983105","183433225229324617196135444544056191152","219600331381263172774379618387353468820","44643297489575056203030606925251196432"],"threshold":0.9},"signature_type":"Line","target":{"file":"system/stack/eatt/eatt.h"},"signature_version":"v1","deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-01-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","target":{"file":"system/stack/gatt/gatt_sr.cc"},"digest":{"line_hashes":["28540336744497903520400251666372907305","86831248994667678226772388699402668801","30989956938485687381134677525868900142"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-323850943-3097b1ae","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","target":{"function":"build_read_multi_rsp","file":"system/stack/gatt/gatt_sr.cc"},"digest":{"function_hash":"232795977407513798786932719878707408517","length":2044},"signature_type":"Function","id":"ASB-A-323850943-477106bc","signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48","target":{"file":"system/stack/eatt/eatt.h"},"digest":{"line_hashes":["78285213672218947306208345211655983105","183433225229324617196135444544056191152","219600331381263172774379618387353468820","44643297489575056203030606925251196432"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-323850943-e1ee1b50","signature_version":"v1","deprecated":false}],"severity":"Critical","spl":"2025-01-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-323850943.json"}}],"schema_version":"1.7.5"}