In avdt_msg_ind of avdt_msg.cc, there is a possible memory corruption due to type confusion. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
The bug lies in improper handling of data types (CWE-843 — type confusion) in the avdt_msg_ind function responsible for processing AVDT protocol messages (Audio/Video Distribution Transport). An attacker with a previously paired Bluetooth device can send a specially crafted message that causes memory corruption. Exploitation does not require any additional privileges on the attacker's side or user interaction from the victim.
A paired malicious Bluetooth device can gain elevated privileges on a vulnerable Android device (privilege escalation), which consequently may lead to full system takeover.
Security patches available from the manufacturer should be applied according to references — the fix was published as part of the Android Security Bulletin dated 2025-04-01 (commit efa5f4ef386a8947f4777840c5cefff389740e86 in the Bluetooth module). It is recommended to update the Android system to a version containing the security patch from the mentioned bulletin as soon as possible.
Google Android — versions indicated in the manufacturer's references (Android Security Bulletin dated 2025-04-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Android
OSGoogle13.014.015.0
Related vulnerabilities
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...