{"id":"ASB-A-364025411","details":"In gatts_process_primary_service_req of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-364025411","CVE-2024-49748"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2025-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c7468e64bb5e821563a910ccd8e5693c179c9da4"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-01-01"}]}],"versions":["15-next"],"ecosystem_specific":{"vanir_signatures":[{"id":"ASB-A-364025411-17a826f7","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["73195809151671638912021880081212524930","166502590214268424367121578547746522305","247706984838498109398675757824649790753","315019094983899779418568733552817699748","83762924092308347658617299944389919479","254902864810161459416971793163088546379","196178134462344522814176753984460788197","279622060697144804304625180375643630946","223477382937635419669272203771965103767","1960198259503915119967230187628605704","66254350827859887876499744116862209316","262806853860335332372772791548586258965","150611675201788300272142464243413304173"]},"target":{"file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-3827c5ea","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"digest":{"function_hash":"140878766634733266954635798763519620581","length":1324},"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-3ff0fad8","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","signature_type":"Function","deprecated":false,"digest":{"function_hash":"248491112306616213556074563010930516473","length":1717},"target":{"function":"gatts_process_read_by_type_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-b43efdf5","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"digest":{"function_hash":"69665958368321808384825513943432689445","length":1157},"target":{"file":"system/stack/gatt/gatt_sr.cc","function":"gatts_process_read_req"},"signature_version":"v1"},{"id":"ASB-A-364025411-ba6220ee","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"digest":{"function_hash":"324626715642112619947952676342156858113","length":1017},"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"}],"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2025-01-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2025-01-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-01-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/84ea459acaf3c6e7215e044e59dc3e9187f1f7b8"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-01-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"id":"ASB-A-364025411-80714ab1","signature_type":"Function","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"digest":{"function_hash":"59907721387275796891791880982636164831","length":1709},"target":{"file":"system/stack/gatt/gatt_sr.cc","function":"gatts_process_read_by_type_req"},"signature_version":"v1"},{"id":"ASB-A-364025411-83af7302","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"268512766584913294539741796509741126456","length":1013},"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-a0478448","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"10210466590019957247735252267736265287","length":1228},"target":{"function":"gatts_process_read_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-ab8983b1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["196188171440176825939806200179255172593","1343846276710123130481317655775445976","162707953477914375301304852354564105157","237632184094319759594373126038928156","73412303094902604806141279010004724322","213793042301422949472188878356196466428","274459867152185406121724678773523115431","192696816679659929020304638215736036804","133504366274441222416588714725015718987","21203466509074868465527884809617529072","194708559555065354067195318099669152827","318666791156319226780322955888919039055","244954544663744206864763512961316080849"]},"target":{"file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-b03cbff8","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"295457614205376007172365195382679517796","length":1372},"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"}],"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-01-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"id":"ASB-A-364025411-191eca3b","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["196188171440176825939806200179255172593","1343846276710123130481317655775445976","162707953477914375301304852354564105157","237632184094319759594373126038928156","73412303094902604806141279010004724322","213793042301422949472188878356196466428","274459867152185406121724678773523115431","192696816679659929020304638215736036804","133504366274441222416588714725015718987","21203466509074868465527884809617529072","194708559555065354067195318099669152827","318666791156319226780322955888919039055","244954544663744206864763512961316080849"]},"target":{"file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-44e14824","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"10210466590019957247735252267736265287","length":1228},"target":{"function":"gatts_process_read_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-4638b31c","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"268512766584913294539741796509741126456","length":1013},"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-ace40604","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"59907721387275796891791880982636164831","length":1709},"target":{"function":"gatts_process_read_by_type_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"},{"id":"ASB-A-364025411-c96609ee","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","signature_type":"Function","deprecated":false,"digest":{"function_hash":"295457614205376007172365195382679517796","length":1372},"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"signature_version":"v1"}],"spl":"2025-01-01","severity":"Critical","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364025411.json"}}],"schema_version":"1.7.5"}