{"id":"PUB-A-254445952","details":"In btm_ble_read_remote_features_complete of btm_ble_gap.cc, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if the firmware were compromised with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-254445952","CVE-2023-20977"],"modified":"2026-05-01T15:24:27.653932Z","published":"2023-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-06-01"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-06-01"}]}],"versions":["13-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e"],"severity":"Moderate","vanir_signatures":[{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"142810681150491218045635607572946443956","length":578},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"function":"btm_ble_read_remote_features_complete","file":"system/stack/btm/btm_ble_gap.cc"},"id":"PUB-A-254445952-022f244f"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193572171072139386044758502784349330881","155991988424880404455445275899946021128","77915846838003575749278667649509859818","301482340753270901619441375453370399143","153524999287970943245640119122595438779","254010993994861822427506791369397858771","315066371698647898187277120838249668882","316374145808350111093708557981203956062","307964559181206217472726908163401400998","294578632843206956932507371357771971885","196903728762469490430222758322756772973","12785745888760557504192215558819356539","17821528429914078605326521975597115348","182542015634816505864676955174756430311"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"file":"system/stack/btm/btm_ble_gap.cc"},"id":"PUB-A-254445952-5340fda5"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"137734023174349184830890249239272560832","length":4786},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"function":"btu_hcif_process_event","file":"system/stack/btu/btu_hcif.cc"},"id":"PUB-A-254445952-60d15612"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["64362738520640031724495979872409942420","62006996824289613532796984643880500396","131766241880642865817313397421143550548","1188834464593180594644199923985966070"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"file":"system/test/mock/mock_stack_btm_ble_gap.cc"},"id":"PUB-A-254445952-637e72f1"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193322601014283273961668279302861220443","303684473620824665361678665105351209996","296285505160783488159445971976576054368","143204796913870103492673139000511552690"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"file":"system/stack/btu/btu_hcif.cc"},"id":"PUB-A-254445952-8722e0f1"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["43125267045811249456873722650429176270","2622587020007766959921735475319764286","188679613354953956492097503756284233815","298775416198561212439457222143063378775"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e2cfbf2685fd4ca4932e6cf6e9d98f57418ce30e","deprecated":false,"target":{"file":"system/stack/include/ble_hci_link_interface.h"},"id":"PUB-A-254445952-f79bda5e"}],"types":["ID"],"spl":"2023-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-254445952.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-06-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881"],"severity":"Moderate","vanir_signatures":[{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"232227972830537180929657144775355121285","length":4846},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"function":"btu_hcif_process_event","file":"system/stack/btu/btu_hcif.cc"},"id":"PUB-A-254445952-86034636"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"142810681150491218045635607572946443956","length":578},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"function":"btm_ble_read_remote_features_complete","file":"system/stack/btm/btm_ble_gap.cc"},"id":"PUB-A-254445952-a8e7b3a7"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193572171072139386044758502784349330881","155991988424880404455445275899946021128","77915846838003575749278667649509859818","301482340753270901619441375453370399143","153524999287970943245640119122595438779","254010993994861822427506791369397858771","315066371698647898187277120838249668882","316374145808350111093708557981203956062","307964559181206217472726908163401400998","294578632843206956932507371357771971885","196903728762469490430222758322756772973","12785745888760557504192215558819356539","17821528429914078605326521975597115348","182542015634816505864676955174756430311"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"file":"system/stack/btm/btm_ble_gap.cc"},"id":"PUB-A-254445952-ac40944d"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["64362738520640031724495979872409942420","62006996824289613532796984643880500396","131766241880642865817313397421143550548","1188834464593180594644199923985966070"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"file":"system/test/mock/mock_stack_btm_ble_gap.cc"},"id":"PUB-A-254445952-c1032275"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["43125267045811249456873722650429176270","2622587020007766959921735475319764286","188679613354953956492097503756284233815","298775416198561212439457222143063378775"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"file":"system/stack/include/ble_hci_link_interface.h"},"id":"PUB-A-254445952-cc256040"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193322601014283273961668279302861220443","303684473620824665361678665105351209996","296285505160783488159445971976576054368","143204796913870103492673139000511552690"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6aedab38411253cbeee4f6315459c4c6ffc0d881","deprecated":false,"target":{"file":"system/stack/btu/btu_hcif.cc"},"id":"PUB-A-254445952-fe175803"}],"types":["ID"],"spl":"2023-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-254445952.json"}}],"schema_version":"1.7.5"}