{"id":"ASB-A-169252501", "published":"2021-05-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2021-0476", "A-169252501"], "details":"In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"9:0"}, {"fixed":"9:2021-05-01"}]}], "versions":["9"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4"], "severity":"High", "spl":"2021-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":true, "digest":{"function_hash":"149876918045358504370956173241248993079", "length":238}, "id":"ASB-A-169252501-15d8ddc1", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::BtaHandleRegistered"}}, {"deprecated":true, "digest":{"function_hash":"127846889590340415951834049465418819456", "length":236}, "id":"ASB-A-169252501-285769eb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::BtaHandleRegistered"}}, {"deprecated":true, "digest":{"function_hash":"65528912344716834826589416087978685088", "length":174}, "id":"ASB-A-169252501-374d3e5a", "match_only_versions":["9"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"line_hashes":["331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "112322295493807377885673840050434155023", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "191895866305495185361903928815781935142"], "threshold":0.9}, "id":"ASB-A-169252501-a758358b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc"}}, {"deprecated":true, "digest":{"function_hash":"329174392347763179983427046306926867425", "length":1048}, "id":"ASB-A-169252501-ab29ddde", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::FindOrCreatePeer"}}, {"deprecated":true, "digest":{"function_hash":"43140690224603685116810835061539601341", "length":172}, "id":"ASB-A-169252501-e9eb27b3", "match_only_versions":["9"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"function_hash":"218766263198388952194430734699468708722", "length":1050}, "id":"ASB-A-169252501-f9a695a4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::FindOrCreatePeer"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2021-05-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e"], "severity":"High", "spl":"2021-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":true, "digest":{"line_hashes":["331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "242867435571651341606309218580176787629", "315116305912593237881129245693820990073", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "112322295493807377885673840050434155023", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "191895866305495185361903928815781935142"], "threshold":0.9}, "id":"ASB-A-169252501-1f13d38a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc"}}, {"deprecated":true, "digest":{"function_hash":"65528912344716834826589416087978685088", "length":174}, "id":"ASB-A-169252501-202caa8b", "match_only_versions":["10"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"function_hash":"149876918045358504370956173241248993079", "length":238}, "id":"ASB-A-169252501-2dd436a9", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::BtaHandleRegistered"}}, {"deprecated":true, "digest":{"function_hash":"46617459757280629262567702798985189903", "length":1109}, "id":"ASB-A-169252501-96f5657e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::FindOrCreatePeer"}}, {"deprecated":true, "digest":{"function_hash":"218766263198388952194430734699468708722", "length":1050}, "id":"ASB-A-169252501-973dda73", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::FindOrCreatePeer"}}, {"deprecated":true, "digest":{"function_hash":"43140690224603685116810835061539601341", "length":172}, "id":"ASB-A-169252501-b9ca15d3", "match_only_versions":["10"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"function_hash":"127846889590340415951834049465418819456", "length":236}, "id":"ASB-A-169252501-bf738abc", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::BtaHandleRegistered"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2021-05-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff"], "severity":"High", "spl":"2021-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":true, "digest":{"function_hash":"43140690224603685116810835061539601341", "length":172}, "id":"ASB-A-169252501-1960f265", "match_only_versions":["11"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"function_hash":"230495465556589350163812101599905675235", "length":695}, "id":"ASB-A-169252501-3d92bb4a", "match_only_versions":["11"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::BtaHandleRegistered"}}, {"deprecated":true, "digest":{"function_hash":"139062621193383159984482973910761356616", "length":697}, "id":"ASB-A-169252501-6aaafe93", "match_only_versions":["11"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::BtaHandleRegistered"}}, {"deprecated":true, "digest":{"function_hash":"142231195491519073520493206282996531695", "length":1290}, "id":"ASB-A-169252501-6c68d8a0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::FindOrCreatePeer"}}, {"deprecated":true, "digest":{"function_hash":"65528912344716834826589416087978685088", "length":174}, "id":"ASB-A-169252501-91afdc6f", "match_only_versions":["11"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSource::DeregisterAllBtaHandles"}}, {"deprecated":true, "digest":{"line_hashes":["331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "242867435571651341606309218580176787629", "315116305912593237881129245693820990073", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "102271672906487167265963398051837337197", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "323272362925700860830954035651760506206"], "threshold":0.9}, "id":"ASB-A-169252501-a9f129e9", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc"}}, {"deprecated":true, "digest":{"function_hash":"229860356068028072949086883197902121591", "length":1349}, "id":"ASB-A-169252501-f48b765e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "target":{"file":"btif/src/btif_av.cc", "function":"BtifAvSink::FindOrCreatePeer"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2021-05-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/system/bt/+/a2b86770143b3e6ec07a6f26edbdc2f8280f0463"}]}