{"id":"ASB-A-232023771", "published":"2022-12-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2022-20411", "A-232023771"], "details":"In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2022-12-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f", "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12"], "severity":"Critical", "spl":"2022-12-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"31651622261620113666886604573074119865", "length":2269}, "id":"ASB-A-232023771-24b295aa", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"function_hash":"215894916147553160587423900392199587617", "length":2079}, "id":"ASB-A-232023771-321a029d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12", "target":{"file":"stack/avct/avct_lcb_act.cc", "function":"avct_lcb_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "103868281249314003293679143785339859589", "278968636750065012184485026436445418276", "55401410856980922119019680032701604430"], "threshold":0.9}, "id":"ASB-A-232023771-4166c182", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f", "target":{"file":"stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"line_hashes":["173584054749471213542059671671466609370", "218272014920384491034865323393805809107", "213647027907871969227418315119428298185", "9928675793482950772906846926328496605", "299567162013897171384820515506672829954", "303197354449278179794684350283057267623", "28531630504339552654429710756820330137", "327271937418312844391748711278984965058"], "threshold":0.9}, "id":"ASB-A-232023771-815881f1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12", "target":{"file":"stack/avct/avct_lcb_act.cc"}}, {"deprecated":false, "digest":{"function_hash":"160853215269139646123064996311532757850", "length":2129}, "id":"ASB-A-232023771-b21cbf2c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "215507649221945670645596187650782013637", "23877860105343681440705075309397570792", "310567960305520675214271535015287563817", "88934782529621464372846023753636423842", "219719858263803852531280969617611252898", "137818675491998040360743622437184545376", "265765237446791770549679568004270914313"], "threshold":0.9}, "id":"ASB-A-232023771-f7b85ac5", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12", "target":{"file":"stack/avdt/avdt_msg.cc"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2022-12-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c", "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653"], "severity":"Critical", "spl":"2022-12-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"31651622261620113666886604573074119865", "length":2269}, "id":"ASB-A-232023771-1ac3aad0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"function_hash":"215894916147553160587423900392199587617", "length":2079}, "id":"ASB-A-232023771-a30ae265", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653", "target":{"file":"stack/avct/avct_lcb_act.cc", "function":"avct_lcb_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "215507649221945670645596187650782013637", "23877860105343681440705075309397570792", "310567960305520675214271535015287563817", "88934782529621464372846023753636423842", "219719858263803852531280969617611252898", "137818675491998040360743622437184545376", "265765237446791770549679568004270914313"], "threshold":0.9}, "id":"ASB-A-232023771-ad6e5cb0", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653", "target":{"file":"stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"line_hashes":["173584054749471213542059671671466609370", "218272014920384491034865323393805809107", "213647027907871969227418315119428298185", "9928675793482950772906846926328496605", "299567162013897171384820515506672829954", "303197354449278179794684350283057267623", "28531630504339552654429710756820330137", "327271937418312844391748711278984965058"], "threshold":0.9}, "id":"ASB-A-232023771-c52f64b9", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653", "target":{"file":"stack/avct/avct_lcb_act.cc"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "103868281249314003293679143785339859589", "278968636750065012184485026436445418276", "55401410856980922119019680032701604430"], "threshold":0.9}, "id":"ASB-A-232023771-e07377b5", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c", "target":{"file":"stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"function_hash":"160853215269139646123064996311532757850", "length":2129}, "id":"ASB-A-232023771-ea12604b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-12-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb", "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176"], "severity":"Critical", "spl":"2022-12-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"215894916147553160587423900392199587617", "length":2079}, "id":"ASB-A-232023771-285f19e5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176", "target":{"file":"stack/avct/avct_lcb_act.cc", "function":"avct_lcb_msg_asmbl"}}, {"deprecated":false, "digest":{"function_hash":"160853215269139646123064996311532757850", "length":2129}, "id":"ASB-A-232023771-377d1e1d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "215507649221945670645596187650782013637", "23877860105343681440705075309397570792", "310567960305520675214271535015287563817", "88934782529621464372846023753636423842", "219719858263803852531280969617611252898", "137818675491998040360743622437184545376", "265765237446791770549679568004270914313"], "threshold":0.9}, "id":"ASB-A-232023771-6cef8960", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176", "target":{"file":"stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"function_hash":"31651622261620113666886604573074119865", "length":2269}, "id":"ASB-A-232023771-6f9faae4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176", "target":{"file":"stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "103868281249314003293679143785339859589", "278968636750065012184485026436445418276", "55401410856980922119019680032701604430"], "threshold":0.9}, "id":"ASB-A-232023771-a9d2d372", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb", "target":{"file":"stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"line_hashes":["299567162013897171384820515506672829954", "303197354449278179794684350283057267623", "28531630504339552654429710756820330137", "327271937418312844391748711278984965058"], "threshold":0.9}, "id":"ASB-A-232023771-c106511b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176", "target":{"file":"stack/avct/avct_lcb_act.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2022-12-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb"], "severity":"Critical", "spl":"2022-12-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "103868281249314003293679143785339859589", "278968636750065012184485026436445418276", "55401410856980922119019680032701604430"], "threshold":0.9}, "id":"ASB-A-232023771-7977fdf2", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4", "target":{"file":"system/stack/avdt/avdt_msg.cc"}}, {"deprecated":false, "digest":{"function_hash":"31651622261620113666886604573074119865", "length":2269}, "id":"ASB-A-232023771-9cacfddc", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb", "target":{"file":"system/stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"function_hash":"215894916147553160587423900392199587617", "length":2079}, "id":"ASB-A-232023771-c94e61f4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb", "target":{"file":"system/stack/avct/avct_lcb_act.cc", "function":"avct_lcb_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["299567162013897171384820515506672829954", "303197354449278179794684350283057267623", "28531630504339552654429710756820330137", "327271937418312844391748711278984965058"], "threshold":0.9}, "id":"ASB-A-232023771-dac224cf", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb", "target":{"file":"system/stack/avct/avct_lcb_act.cc"}}, {"deprecated":false, "digest":{"function_hash":"160853215269139646123064996311532757850", "length":2129}, "id":"ASB-A-232023771-f0b5ebf2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4", "target":{"file":"system/stack/avdt/avdt_msg.cc", "function":"avdt_msg_asmbl"}}, {"deprecated":false, "digest":{"line_hashes":["70120848165161273781258461032605334239", "215507649221945670645596187650782013637", "23877860105343681440705075309397570792", "310567960305520675214271535015287563817", "88934782529621464372846023753636423842", "219719858263803852531280969617611252898", "137818675491998040360743622437184545376", "265765237446791770549679568004270914313"], "threshold":0.9}, "id":"ASB-A-232023771-f4290a62", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb", "target":{"file":"system/stack/avdt/avdt_msg.cc"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-12-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9f083ec910ec38ba7ba04443b126f66ef33972b4"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/493fcadb4111608f364df2b9c31bdc0234ac527a"}]}