{"id":"ASB-A-230494481", "published":"2022-08-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2022-20345", "A-230494481"], "details":"In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-08-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7"], "severity":"Critical", "spl":"2022-08-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["55705507659901056751541525100410692467", "129612777462826108300575791623030211462", "218160243998060500243641945815635237332", "15727238478529142005183987233395361709", "189428048400701381172458269065605979516", "185168886266552122974993543782533786385"], "threshold":0.9}, "id":"ASB-A-230494481-4ece4e7d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7", "target":{"file":"stack/l2cap/l2c_ble.cc"}}, {"deprecated":false, "digest":{"function_hash":"84986807421059699936917941225242500392", "length":15253}, "id":"ASB-A-230494481-f122d02b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7", "target":{"file":"stack/l2cap/l2c_ble.cc", "function":"l2cble_process_sig_cmd"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-08-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7"], "severity":"Critical", "spl":"2022-08-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["55705507659901056751541525100410692467", "129612777462826108300575791623030211462", "218160243998060500243641945815635237332", "15727238478529142005183987233395361709", "189428048400701381172458269065605979516", "185168886266552122974993543782533786385"], "threshold":0.9}, "id":"ASB-A-230494481-9f1fd7cd", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7", "target":{"file":"stack/l2cap/l2c_ble.cc"}}, {"deprecated":false, "digest":{"function_hash":"84986807421059699936917941225242500392", "length":15253}, "id":"ASB-A-230494481-da73fd51", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7", "target":{"file":"stack/l2cap/l2c_ble.cc", "function":"l2cble_process_sig_cmd"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-08-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/system/bt/+/e0dd01b536919d5407968eae341b72fa10ec0b7d"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0b7fe01dd050fa4155b1cd802d901b4c9eccdfef"}]}