{"id":"ASB-A-364027949","details":"In gatts_process_read_req of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-364027949","CVE-2024-43771"],"modified":"2026-04-21T15:25:42.831358Z","published":"2025-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c7468e64bb5e821563a910ccd8e5693c179c9da4"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-01-01"}]}],"versions":["15-next"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"id":"ASB-A-364027949-17a826f7","digest":{"threshold":0.9,"line_hashes":["73195809151671638912021880081212524930","166502590214268424367121578547746522305","247706984838498109398675757824649790753","315019094983899779418568733552817699748","83762924092308347658617299944389919479","254902864810161459416971793163088546379","196178134462344522814176753984460788197","279622060697144804304625180375643630946","223477382937635419669272203771965103767","1960198259503915119967230187628605704","66254350827859887876499744116862209316","262806853860335332372772791548586258965","150611675201788300272142464243413304173"]},"signature_type":"Line","signature_version":"v1"},{"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"id":"ASB-A-364027949-3827c5ea","digest":{"length":1324,"function_hash":"140878766634733266954635798763519620581"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_read_by_type_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"id":"ASB-A-364027949-3ff0fad8","digest":{"length":1717,"function_hash":"248491112306616213556074563010930516473"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_read_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"id":"ASB-A-364027949-b43efdf5","digest":{"length":1157,"function_hash":"69665958368321808384825513943432689445"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a","deprecated":false,"id":"ASB-A-364027949-ba6220ee","digest":{"length":1017,"function_hash":"324626715642112619947952676342156858113"},"signature_type":"Function","signature_version":"v1"}],"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2025-01-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2025-01-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-01-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/84ea459acaf3c6e7215e044e59dc3e9187f1f7b8"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-01-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"target":{"function":"gatts_process_read_by_type_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-80714ab1","digest":{"length":1709,"function_hash":"59907721387275796891791880982636164831"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-83af7302","digest":{"length":1013,"function_hash":"268512766584913294539741796509741126456"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_read_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-a0478448","digest":{"length":1228,"function_hash":"10210466590019957247735252267736265287"},"signature_type":"Function","signature_version":"v1"},{"target":{"file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-ab8983b1","digest":{"threshold":0.9,"line_hashes":["196188171440176825939806200179255172593","1343846276710123130481317655775445976","162707953477914375301304852354564105157","237632184094319759594373126038928156","73412303094902604806141279010004724322","213793042301422949472188878356196466428","274459867152185406121724678773523115431","192696816679659929020304638215736036804","133504366274441222416588714725015718987","21203466509074868465527884809617529072","194708559555065354067195318099669152827","318666791156319226780322955888919039055","244954544663744206864763512961316080849"]},"signature_type":"Line","signature_version":"v1"},{"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-b03cbff8","digest":{"length":1372,"function_hash":"295457614205376007172365195382679517796"},"signature_type":"Function","signature_version":"v1"}],"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-01-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-191eca3b","digest":{"threshold":0.9,"line_hashes":["196188171440176825939806200179255172593","1343846276710123130481317655775445976","162707953477914375301304852354564105157","237632184094319759594373126038928156","73412303094902604806141279010004724322","213793042301422949472188878356196466428","274459867152185406121724678773523115431","192696816679659929020304638215736036804","133504366274441222416588714725015718987","21203466509074868465527884809617529072","194708559555065354067195318099669152827","318666791156319226780322955888919039055","244954544663744206864763512961316080849"]},"signature_type":"Line","signature_version":"v1"},{"target":{"function":"gatts_process_read_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-44e14824","digest":{"length":1228,"function_hash":"10210466590019957247735252267736265287"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_find_info","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-4638b31c","digest":{"length":1013,"function_hash":"268512766584913294539741796509741126456"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_read_by_type_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-ace40604","digest":{"length":1709,"function_hash":"59907721387275796891791880982636164831"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"gatts_process_primary_service_req","file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907","deprecated":false,"id":"ASB-A-364027949-c96609ee","digest":{"length":1372,"function_hash":"295457614205376007172365195382679517796"},"signature_type":"Function","signature_version":"v1"}],"spl":"2025-01-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364027949.json"}}],"schema_version":"1.7.5"}