Headline
CVE-2023-35666
In bta_av_rc_msg of bta_av_act.cc, there is a possible use after free due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "b7ea57f620436c83a9766f928437ddadaa232e3a", "tree": "44210c93593b095aefa8e594538a82ed0f55242d", "parents": [ “8770c07c102c7fdc74626dc717acc8f6dd1c92cc” ], "author": { "name": "Brian Delwiche", "email": "[email protected]", "time": “Wed Mar 01 00:22:59 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Fri Jul 14 17:32:14 2023 +0000” }, "message": "Fix potential abort in btu_av_act.cc\n\nPartner analysis shows that bta_av_rc_msg does not respect handling\nestablished for a null browse packet, instead dispatching the null\npointer to bta_av_rc_free_browse_msg. Strictly speaking this does\nnot cause a UAF, as osi_free_and_reset will find the null and abort,\nbut it will lead to improper program termination.\n\nHandle the case instead.\n\nBug: 269253349\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3ee136851de30261e56c62fbb488541dc564b94)\nMerged-In: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d\nChange-Id: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d\n", "tree_diff": [ { "type": "modify", "old_id": "10019e7edcfbe8bc414161c55065caff40a198a6", "old_mode": 33188, "old_path": "system/bta/av/bta_av_act.cc", "new_id": "dce4ea2012ed8268023a64c21c8ac0e46b465aaa", "new_mode": 33188, "new_path": “system/bta/av/bta_av_act.cc” } ] }
Related news
Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.
In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.