{"id":"ASB-A-375409435","details":"In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-375409435","CVE-2025-22403"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/37bcf769c1aa8dfa8e5524858d47f6a80b765fa4"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-03-01"}]}],"versions":["15-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7f74d44cebf1cad4b3d7aa9b05236a41cb221e9e"],"vanir_signatures":[{"id":"ASB-A-375409435-44e33881","digest":{"threshold":0.9,"line_hashes":["185486579480985713112082667811722275236","17057568583745171272579259696309426503","80774933675077869032302284458860655476","115680520510039957212659840251882548952","149272764073703809669421546090731542086","132375438198367819111153161607144242575","186177419848916491106430461256472221809","250022138064522366207171179373555795389"]},"signature_type":"Line","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7f74d44cebf1cad4b3d7aa9b05236a41cb221e9e","signature_version":"v1"},{"id":"ASB-A-375409435-47499204","digest":{"function_hash":"140146735426474515366070883419062745255","length":1497},"signature_type":"Function","target":{"function":"sdp_snd_service_search_req","file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7f74d44cebf1cad4b3d7aa9b05236a41cb221e9e","signature_version":"v1"},{"id":"ASB-A-375409435-8c0a16e4","digest":{"function_hash":"308941742199032283269529400827602332500","length":3689},"signature_type":"Function","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7f74d44cebf1cad4b3d7aa9b05236a41cb221e9e","signature_version":"v1"}],"spl":"2025-03-01","types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-375409435.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-03-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bb2f54f9ed938267c2830da4a9d984529274d8a8"],"vanir_signatures":[{"id":"ASB-A-375409435-0c8b0075","digest":{"function_hash":"165027032574402723718083216113014457432","length":1358},"signature_type":"Function","target":{"function":"sdp_snd_service_search_req","file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bb2f54f9ed938267c2830da4a9d984529274d8a8","signature_version":"v1"},{"id":"ASB-A-375409435-839ef8ed","digest":{"threshold":0.9,"line_hashes":["12190546748810153671323829287973396926","250063306120409055104865957682659589968","14738994624663035747041608733386582070","23271983830575734844306478053192221507","72564316092330557065769555111629989985","167288907091122585214705296993377740906","320217447774151956406964022062422034648","307622193380667158305078197192178528596"]},"signature_type":"Line","target":{"file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bb2f54f9ed938267c2830da4a9d984529274d8a8","signature_version":"v1"},{"id":"ASB-A-375409435-ea7c07d0","digest":{"function_hash":"48886429007938031076324531841910728667","length":3316},"signature_type":"Function","target":{"function":"process_service_search_attr_rsp","file":"system/stack/sdp/sdp_discovery.cc"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bb2f54f9ed938267c2830da4a9d984529274d8a8","signature_version":"v1"}],"spl":"2025-03-01","types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-375409435.json"}}],"schema_version":"1.7.5"}