{"id":"ASB-A-269253349", "published":"2023-09-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2023-35666", "A-269253349"], "details":"In bta_av_rc_msg of bta_av_act.cc, there is a possible use after free due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13-next:0"}, {"fixed":"13-next:2023-09-01"}]}], "versions":["13-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/436a60c26744ef0699ba49182987467cee4a746b"], "severity":"High", "spl":"2023-09-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"202031495183167535993362350757088610019", "length":5765}, "id":"ASB-A-269253349-04d81780", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/436a60c26744ef0699ba49182987467cee4a746b", "target":{"file":"system/bta/av/bta_av_act.cc", "function":"bta_av_rc_msg"}}, {"deprecated":false, "digest":{"line_hashes":["126063420346306657663512677345875224896", "242319816300548950297038881119232842538", "233258715842497773758930975541940563986", "245693739312668986704721811531529499321"], "threshold":0.9}, "id":"ASB-A-269253349-66a38ccb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/436a60c26744ef0699ba49182987467cee4a746b", "target":{"file":"system/bta/av/bta_av_act.cc"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-09-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9"], "severity":"High", "spl":"2023-09-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"202031495183167535993362350757088610019", "length":5765}, "id":"ASB-A-269253349-35352c09", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc", "function":"bta_av_rc_msg"}}, {"deprecated":false, "digest":{"line_hashes":["126063420346306657663512677345875224896", "242319816300548950297038881119232842538", "233258715842497773758930975541940563986", "245693739312668986704721811531529499321"], "threshold":0.9}, "id":"ASB-A-269253349-4c3c669b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-09-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9"], "severity":"High", "spl":"2023-09-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"202031495183167535993362350757088610019", "length":5765}, "id":"ASB-A-269253349-326f2045", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc", "function":"bta_av_rc_msg"}}, {"deprecated":false, "digest":{"line_hashes":["126063420346306657663512677345875224896", "242319816300548950297038881119232842538", "233258715842497773758930975541940563986", "245693739312668986704721811531529499321"], "threshold":0.9}, "id":"ASB-A-269253349-dfbf133e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-09-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9"], "severity":"High", "spl":"2023-09-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["126063420346306657663512677345875224896", "242319816300548950297038881119232842538", "233258715842497773758930975541940563986", "245693739312668986704721811531529499321"], "threshold":0.9}, "id":"ASB-A-269253349-589203c3", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc"}}, {"deprecated":false, "digest":{"function_hash":"202031495183167535993362350757088610019", "length":5765}, "id":"ASB-A-269253349-9203f115", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9", "target":{"file":"bta/av/bta_av_act.cc", "function":"bta_av_rc_msg"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-09-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d3ee136851de30261e56c62fbb488541dc564b94"], "severity":"High", "spl":"2023-09-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["126063420346306657663512677345875224896", "242319816300548950297038881119232842538", "233258715842497773758930975541940563986", "245693739312668986704721811531529499321"], "threshold":0.9}, "id":"ASB-A-269253349-3e94ced0", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d3ee136851de30261e56c62fbb488541dc564b94", "target":{"file":"system/bta/av/bta_av_act.cc"}}, {"deprecated":false, "digest":{"function_hash":"202031495183167535993362350757088610019", "length":5765}, "id":"ASB-A-269253349-751abff0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d3ee136851de30261e56c62fbb488541dc564b94", "target":{"file":"system/bta/av/bta_av_act.cc", "function":"bta_av_rc_msg"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-09-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b7ea57f620436c83a9766f928437ddadaa232e3a"}]}