{"id":"ASB-A-375396810","details":"In hidd_check_config_done of hidd_conn.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-375396810","CVE-2025-22407"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-03-01"}]}],"versions":["15-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce"],"severity":"High","types":["ID"],"vanir_signatures":[{"target":{"file":"system/stack/sdp/sdp_server.cc","function":"process_service_search"},"signature_type":"Function","digest":{"function_hash":"211682704352143239582969659138051468098","length":2448},"deprecated":false,"id":"ASB-A-375396810-14a28aa1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_ts_frames.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["286492870679602804280964940989204901945","67110201630402263891771703272658454172","256109504533161345568861341919688005179","134700917868465397091104271083321682710","150656896105989019014209336970868281653","242968755299909932195285964837982845832","160892530356149352026281647557871454263","220186030684688752703802123991787488089"]},"deprecated":false,"id":"ASB-A-375396810-25c463de","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_server.cc","function":"process_service_attr_req"},"signature_type":"Function","digest":{"function_hash":"310920675969930511777141851498808176379","length":5816},"deprecated":false,"id":"ASB-A-375396810-2b94d904","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_discovery.cc","function":"process_service_attr_rsp"},"signature_type":"Function","digest":{"function_hash":"205347561901463235834401272257821673301","length":2674},"deprecated":false,"id":"ASB-A-375396810-3926e970","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/avct/avct_lcb_act.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["142600366915217162261739578436175484793","255299789667415803693575933947461572783","106632307121245935338573268112607750018","269772223161259960096375348066468600541","269372604943126953834979591812938494537","144707340389045496811475387088503090325","121496720903623348799813417725012027760","317626365540118766860480187588170966381"]},"deprecated":false,"id":"ASB-A-375396810-505f7b27","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/hid/hidd_conn.cc","function":"hidd_check_config_done"},"signature_type":"Function","digest":{"function_hash":"75580304012516946551019259548117278475","length":602},"deprecated":false,"id":"ASB-A-375396810-5ccf29e1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_utils.cc","function":"bnepu_check_send_packet"},"signature_type":"Function","digest":{"function_hash":"12673076343507638312812824653104382089","length":677},"deprecated":false,"id":"ASB-A-375396810-65da7ada","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_discovery.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["149272764073703809669421546090731542086","132375438198367819111153161607144242575","186177419848916491106430461256472221809","173774141378478538531125887402733948298"]},"deprecated":false,"id":"ASB-A-375396810-7a2462c1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_ind"},"signature_type":"Function","digest":{"function_hash":"298131935973619507107049381436297318889","length":1581},"deprecated":false,"id":"ASB-A-375396810-7c1040b7","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_utils.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["74641538914346852857267348249740164903","293395952620485091978881415781896805742","266579781076762653552747380862386612904","310074054473201161610099806162878752225","42250379856589024969395104863387963094","1836413212261462881434922511270017843","339312077979917122918925805090104541575"]},"deprecated":false,"id":"ASB-A-375396810-7ca19e21","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_utils.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["71016669386664999699571887293822839632","158418248385361645084367451181786161370","111150459039969148351689205583351752605","296544364640014085120524446797662561862","314269659719338931261932183198514959018","85671645750158290750940906116145001785","278689253255781974557001976675962955782","246299187267508569837624111916129823843"]},"deprecated":false,"id":"ASB-A-375396810-7ff5ab72","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_utils.cc","function":"rfc_check_send_cmd"},"signature_type":"Function","digest":{"function_hash":"253678056635035088504033523220752328234","length":676},"deprecated":false,"id":"ASB-A-375396810-99e92726","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_ts_frames.cc","function":"rfc_send_buf_uih"},"signature_type":"Function","digest":{"function_hash":"91424337111038413579272907700077040308","length":1251},"deprecated":false,"id":"ASB-A-375396810-a1f3b7a5","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_main.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["278719654710964618101210848754009275059","49885897274829998276364004515720726758","213786969092065232671792541435749925905","262713393390953510170728638432178916805","137174571306154522262397846868544064959","28344529003624627703427290036788761406","220186030684688752703802123991787488089"]},"deprecated":false,"id":"ASB-A-375396810-a49c699b","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_server.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["21449444399169415137039231101742242443","60515099035128252460509346087551164686","254748262588180354977847863067803374759","6413842235703169635818426872924502154","21449444399169415137039231101742242443","60515099035128252460509346087551164686","254748262588180354977847863067803374759","312620671144370223027810779677125236580"]},"deprecated":false,"id":"ASB-A-375396810-d9d36144","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/hid/hidd_conn.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["128323925956333047702747552450695125822","253537584789621024230809936703314682988","126526341276163702897146843989459870879","109389038437024207784949494393571815066","174444684524383211097674842390477420011","275284755790749135861706596144142952317","123851060640754868022270066786042676363","65495981240995975797575921080681322630"]},"deprecated":false,"id":"ASB-A-375396810-ebe093a2","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_main.cc","function":"bnep_congestion_ind"},"signature_type":"Function","digest":{"function_hash":"41505479305311525475484895086379786917","length":900},"deprecated":false,"id":"ASB-A-375396810-f2fae6b7","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce","signature_version":"v1"}],"spl":"2025-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-375396810.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-03-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda"],"severity":"High","types":["ID"],"vanir_signatures":[{"target":{"file":"system/stack/rfcomm/rfc_utils.cc","function":"rfc_check_send_cmd"},"signature_type":"Function","digest":{"function_hash":"321200814064128877042672082823264823858","length":617},"deprecated":false,"id":"ASB-A-375396810-04d03211","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_server.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["91418632319498322876677883531524763797","9566919150869272321742117416091613434","254748262588180354977847863067803374759","95705185445191313933742018616909606092","91418632319498322876677883531524763797","9566919150869272321742117416091613434","254748262588180354977847863067803374759","192087470961399380878501811772055348289"]},"deprecated":false,"id":"ASB-A-375396810-2aea7575","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_ts_frames.cc","function":"rfc_send_buf_uih"},"signature_type":"Function","digest":{"function_hash":"97950963671516076722907839761488627701","length":1196},"deprecated":false,"id":"ASB-A-375396810-47cdd9bf","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_server.cc","function":"process_service_attr_req"},"signature_type":"Function","digest":{"function_hash":"73697139206039476712285903623227021937","length":5998},"deprecated":false,"id":"ASB-A-375396810-6d42be5f","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_utils.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["299451248804576891787932252786131493340","192083520513499272022928318348902377499","79511065831158490707500604246310708319","304762324907287739139098819688307468929","195168152284684033935047996135140923235","1836413212261462881434922511270017843","310857444648749042189900469046990731281"]},"deprecated":false,"id":"ASB-A-375396810-7a411eb4","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_discovery.cc","function":"process_service_attr_rsp"},"signature_type":"Function","digest":{"function_hash":"135461965972903847797979952307998347766","length":2544},"deprecated":false,"id":"ASB-A-375396810-7dcb9945","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_server.cc","function":"process_service_search"},"signature_type":"Function","digest":{"function_hash":"46563877092635324401260374702719991207","length":2294},"deprecated":false,"id":"ASB-A-375396810-860cf7ea","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_utils.cc","function":"bnepu_check_send_packet"},"signature_type":"Function","digest":{"function_hash":"285997084590554510617268480406656919495","length":622},"deprecated":false,"id":"ASB-A-375396810-9ad5621e","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_ind"},"signature_type":"Function","digest":{"function_hash":"67090635879745761987134938786039020001","length":1505},"deprecated":false,"id":"ASB-A-375396810-9c4f8733","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/sdp/sdp_discovery.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["250317447892411460895860938264291182803","167288907091122585214705296993377740906","320217447774151956406964022062422034648","307622193380667158305078197192178528596"]},"deprecated":false,"id":"ASB-A-375396810-a3166250","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/rfcomm/rfc_ts_frames.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["286492870679602804280964940989204901945","211254896647837242848190817971513218553","207085936720236288918878956511547821502","129281804899115056214162404989653148181","321023820521853794160621058226240787268","160892530356149352026281647557871454263","64009599396143373018022061541708527060"]},"deprecated":false,"id":"ASB-A-375396810-a4832bd8","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/hid/hidd_conn.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["308105771725349232725393550909388403893","73734462354003377920339872300758312218","310280735229051794442434446013687597567","148345859783989005339004394524836323283","118296014518729984433001555325446521922","123851060640754868022270066786042676363","65495981240995975797575921080681322630"]},"deprecated":false,"id":"ASB-A-375396810-ad7c336a","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_main.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["6307759565825593520286495790524229088","93877622375622581870259841540856315783","195524062534868238641192477062326844709","74636732666957017306843496165923802965","28344529003624627703427290036788761406","257411923728504995207558690776844541915"]},"deprecated":false,"id":"ASB-A-375396810-e1180a62","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/hid/hidd_conn.cc","function":"hidd_check_config_done"},"signature_type":"Function","digest":{"function_hash":"332861680645930691677172432150399466399","length":547},"deprecated":false,"id":"ASB-A-375396810-e17bc2e2","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_utils.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["71016669386664999699571887293822839632","231332232310912185559397053349975538853","182891246110962140004651294886308711034","23651705840465111356864563930574067669","227799907781282079513939111739443978695","278689253255781974557001976675962955782","24999513775547359467003169758767546009"]},"deprecated":false,"id":"ASB-A-375396810-eb2f47f0","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/avct/avct_lcb_act.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["142600366915217162261739578436175484793","244890001589744207766774534847751829751","75374273305427944043031912133923820740","295105858449008142926915246922824497309","54354794193376802653588396451067552222","258256200696726803040811278432971517861","105993498725994113530876733006184989955"]},"deprecated":false,"id":"ASB-A-375396810-f3ffebe3","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"},{"target":{"file":"system/stack/bnep/bnep_main.cc","function":"bnep_congestion_ind"},"signature_type":"Function","digest":{"function_hash":"304391834931304677978747202437246195863","length":841},"deprecated":false,"id":"ASB-A-375396810-f926d9d6","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda","signature_version":"v1"}],"spl":"2025-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-375396810.json"}}],"schema_version":"1.7.5"}