{"id":"ASB-A-374746961","details":"In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-374746961","CVE-2025-48593"],"modified":"2026-04-03T15:37:31.002635Z","published":"2025-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c69c78d7c4f623201f35831d32e6c401156e76cc"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5ed63461b44198c80d5aff7e1af1df812f782abb"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-11-01"}]}],"versions":["16-next"],"ecosystem_specific":{"spl":"2025-11-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b8153e05d0b9224feb0ace8c24eeeadc80e4dffc","https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"],"severity":"Critical","vanir_signatures":[{"digest":{"function_hash":"107145133131574323980814093626681838473","length":3726},"deprecated":false,"signature_type":"Function","target":{"file":"system/stack/sdp/sdp_discovery.cc","function":"process_service_search_attr_rsp"},"signature_version":"v1","id":"ASB-A-374746961-0e6ffe0c","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"},{"digest":{"threshold":0.9,"line_hashes":["112021377856580551342925629428490151059","30112681536051398625177216803906424137","12438847941183059645245926359669460603","317394253551519436069397578682271416074"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-21ca76fd","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b8153e05d0b9224feb0ace8c24eeeadc80e4dffc"},{"digest":{"threshold":0.9,"line_hashes":["238804026459895453022913362086056890205","278263052649932044669483512920124165617","288555408591286364727192790415508178976","310239700993686457384113902038759571576","140148350515235154336719368798111519292"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"signature_version":"v1","id":"ASB-A-374746961-29ac221d","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"},{"digest":{"function_hash":"58992582756399090722116609625383750269","length":363},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-3a60a8e0","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b8153e05d0b9224feb0ace8c24eeeadc80e4dffc"},{"digest":{"threshold":0.9,"line_hashes":["69891922723882410243655355263612687878","56173627238953161318044190149834911610","196350850735753420233486329339095753372","45045635631960233752973807711477206008","154508099774817316785668635488472156498"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-5172bc8b","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"},{"digest":{"function_hash":"7602246884007681727179432016334213402","length":1747},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc","function":"bta_hf_client_do_disc"},"signature_version":"v1","id":"ASB-A-374746961-57070070","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"},{"digest":{"function_hash":"229622808918631679597329310342793922823","length":708},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-a6512d56","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"},{"digest":{"threshold":0.9,"line_hashes":["214139034142327915822072969261211902385","89198987951694386994374981713156137678","275455677005498114417438064572795189666","5518885018645912677899697861766934015","309146401325579449020992180879533876831"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"signature_version":"v1","id":"ASB-A-374746961-f753ca8d","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ba1083bc3d6f8a4badf9dbbb039d404f019d3762"}],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-374746961.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-11-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-11-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a9518fe2c686de00320981567a2667de490de903"],"severity":"Critical","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["30112681536051398625177216803906424137","12438847941183059645245926359669460603","317394253551519436069397578682271416074"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-6894a181","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a9518fe2c686de00320981567a2667de490de903"},{"digest":{"function_hash":"58992582756399090722116609625383750269","length":363},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-9ff9bc46","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a9518fe2c686de00320981567a2667de490de903"}],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-374746961.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-11-01"}]}],"versions":["16"],"ecosystem_specific":{"spl":"2025-11-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"],"severity":"Critical","vanir_signatures":[{"digest":{"function_hash":"39330477219114763862282159697897214578","length":3688},"deprecated":false,"signature_type":"Function","target":{"file":"system/stack/sdp/sdp_discovery.cc","function":"process_service_search_attr_rsp"},"signature_version":"v1","id":"ASB-A-374746961-1e05f2da","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"},{"digest":{"function_hash":"61077456274194582509773685081088371368","length":701},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-57afee31","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"},{"digest":{"threshold":0.9,"line_hashes":["214139034142327915822072969261211902385","89198987951694386994374981713156137678","275455677005498114417438064572795189666","5518885018645912677899697861766934015","309146401325579449020992180879533876831"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc"},"signature_version":"v1","id":"ASB-A-374746961-69aaafc1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"},{"digest":{"threshold":0.9,"line_hashes":["69891922723882410243655355263612687878","56173627238953161318044190149834911610","196350850735753420233486329339095753372","45045635631960233752973807711477206008","154508099774817316785668635488472156498"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-74996092","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"},{"digest":{"threshold":0.9,"line_hashes":["238804026459895453022913362086056890205","278263052649932044669483512920124165617","288555408591286364727192790415508178976","310239700993686457384113902038759571576","140148350515235154336719368798111519292"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"signature_version":"v1","id":"ASB-A-374746961-a8e13539","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"},{"digest":{"function_hash":"7602246884007681727179432016334213402","length":1747},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_sdp.cc","function":"bta_hf_client_do_disc"},"signature_version":"v1","id":"ASB-A-374746961-f3ee83e2","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6649ae8e46295770fc7612f49e00e8fdf23893fb"}],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-374746961.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-11-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-11-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6c84125d5b048d05a24b9805e5d3792edd8e5629"],"severity":"Critical","vanir_signatures":[{"digest":{"function_hash":"64371983548356079783213996724393721879","length":370},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-969e0308","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6c84125d5b048d05a24b9805e5d3792edd8e5629"},{"digest":{"threshold":0.9,"line_hashes":["30112681536051398625177216803906424137","12438847941183059645245926359669460603","317394253551519436069397578682271416074"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-f02df084","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6c84125d5b048d05a24b9805e5d3792edd8e5629"}],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-374746961.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-11-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-11-01","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5982fb459df4d62606ab21582a6f53c926f7bb2c"],"severity":"Critical","vanir_signatures":[{"digest":{"function_hash":"64371983548356079783213996724393721879","length":370},"deprecated":false,"signature_type":"Function","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc","function":"bta_hf_client_cb_init"},"signature_version":"v1","id":"ASB-A-374746961-31754383","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5982fb459df4d62606ab21582a6f53c926f7bb2c"},{"digest":{"threshold":0.9,"line_hashes":["30112681536051398625177216803906424137","12438847941183059645245926359669460603","317394253551519436069397578682271416074"]},"deprecated":false,"signature_type":"Line","target":{"file":"system/bta/hf_client/bta_hf_client_main.cc"},"signature_version":"v1","id":"ASB-A-374746961-8178f6bb","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5982fb459df4d62606ab21582a6f53c926f7bb2c"}],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-374746961.json"}}],"schema_version":"1.7.5"}