{"id":"ASB-A-406785684","details":"In SendPacketToPeer of acl_arbiter.cc, there is a possible out of bounds read due to a use after free. This could lead to remotely-triggered local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-406785684","CVE-2025-48539"],"modified":"2026-06-02T15:13:07.889160648Z","published":"2025-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/33be5d45cb275aa9c13d975a4c556b2e7a769089"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-09-01"}]}],"versions":["16-next"],"ecosystem_specific":{"spl":"2025-09-01","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["42513219586601643498666917077259327358","214661696728787310131164919206585232759","31548046443679700939958393511330554296","86263910952918042751199429885923080603"]},"target":{"file":"system/stack/arbiter/acl_arbiter.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/243d7484e59730c522640b616445b2747b3062e5","signature_type":"Line","id":"ASB-A-406785684-6cc39de1","deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/243d7484e59730c522640b616445b2747b3062e5"],"severity":"High","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-406785684.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-09-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-09-01","vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/59d787dcbf5a95d0f00f28970dc98906f3c53832","target":{"file":"system/stack/arbiter/acl_arbiter.cc"},"signature_type":"Line","id":"ASB-A-406785684-ad13fa2e","digest":{"threshold":0.9,"line_hashes":["316396108177116684968999051970746304784","241047315319657239551928598967010528905","31548046443679700939958393511330554296","218294207003004999605826659387357549421"]},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/59d787dcbf5a95d0f00f28970dc98906f3c53832"],"types":["RCE"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-406785684.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-09-01"}]}],"versions":["16"],"ecosystem_specific":{"spl":"2025-09-01","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["42513219586601643498666917077259327358","214661696728787310131164919206585232759","31548046443679700939958393511330554296","86263910952918042751199429885923080603"]},"deprecated":false,"target":{"file":"system/stack/arbiter/acl_arbiter.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d6cb1ec8d11d2a8239c9f7e824f6fbe29edeb2e6","signature_type":"Line","id":"ASB-A-406785684-8c6914b9"}],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d6cb1ec8d11d2a8239c9f7e824f6fbe29edeb2e6"],"severity":"High","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-406785684.json"}}],"schema_version":"1.7.5"}