{"id":"ASB-A-273874525", "published":"2023-10-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2023-40129", "A-273874525"], "details":"In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-10-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed"], "severity":"Critical", "spl":"2023-10-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"36167147116348345863936788657702224124", "length":1957}, "id":"ASB-A-273874525-84daf640", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed", "target":{"file":"stack/gatt/gatt_sr.cc", "function":"build_read_multi_rsp"}}, {"deprecated":false, "digest":{"line_hashes":["320180208113292607896087960140748321710", "185620860055585878484986184931846809734", "319420841029342921839194282503417907253", "250978578845779696356386414138024276852", "318872592807275993100937040753514395656", "141269574546360549306461848829328979810", "204714876695755523928580335686404439046", "183905982059378682327217227057606426163", "311954045522797841068282195162869825882", "263232450369799039219493308252416876531", "400206405204418213502213550468525364", "314770545184342246476502425255109428247", "307362275633226171916038256427833315124", "308895341643965181959918133811250227217", "122757879597053200394180763992077422796", "67834856507516609453221547184769402811", "129943154435575809610568843399508029933", "237475983115649658632985560846409519343", "13227297075605735205156259313947404717", "85253462756822884360816865997710830720", "24526966502570633969055920681276582168", "325969589060144690288502607002477657459", "89081833886852685892140623503777474500", "99804003701978462269687672967659361085"], "threshold":0.9}, "id":"ASB-A-273874525-850b3746", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed", "target":{"file":"stack/gatt/gatt_sr.cc"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-10-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed"], "severity":"Critical", "spl":"2023-10-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"36167147116348345863936788657702224124", "length":1957}, "id":"ASB-A-273874525-11fb76c3", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed", "target":{"file":"stack/gatt/gatt_sr.cc", "function":"build_read_multi_rsp"}}, {"deprecated":false, "digest":{"line_hashes":["320180208113292607896087960140748321710", "185620860055585878484986184931846809734", "319420841029342921839194282503417907253", "250978578845779696356386414138024276852", "318872592807275993100937040753514395656", "141269574546360549306461848829328979810", "204714876695755523928580335686404439046", "183905982059378682327217227057606426163", "311954045522797841068282195162869825882", "263232450369799039219493308252416876531", "400206405204418213502213550468525364", "314770545184342246476502425255109428247", "307362275633226171916038256427833315124", "308895341643965181959918133811250227217", "122757879597053200394180763992077422796", "67834856507516609453221547184769402811", "129943154435575809610568843399508029933", "237475983115649658632985560846409519343", "13227297075605735205156259313947404717", "85253462756822884360816865997710830720", "24526966502570633969055920681276582168", "325969589060144690288502607002477657459", "89081833886852685892140623503777474500", "99804003701978462269687672967659361085"], "threshold":0.9}, "id":"ASB-A-273874525-a3859905", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/system/bt/+/d5f27984f4ca265f28a4adf5835b0198a3e19aed", "target":{"file":"stack/gatt/gatt_sr.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-10-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23"], "severity":"Critical", "spl":"2023-10-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["301476335257368158159457184534817724226", "185620860055585878484986184931846809734", "319420841029342921839194282503417907253", "250978578845779696356386414138024276852", "318872592807275993100937040753514395656", "141269574546360549306461848829328979810", "204714876695755523928580335686404439046", "183905982059378682327217227057606426163", "311954045522797841068282195162869825882", "80778354735684940648400822243020094520", "298240068789696469338359820937952988798", "254072070548644218687734592118588744547", "290108680486195309810329624003139389789", "246147197161009651927417574757144612761", "71153663538600734989617062507828621121", "263232450369799039219493308252416876531", "400206405204418213502213550468525364", "314770545184342246476502425255109428247", "307362275633226171916038256427833315124", "308895341643965181959918133811250227217", "122757879597053200394180763992077422796", "67834856507516609453221547184769402811", "129943154435575809610568843399508029933", "237475983115649658632985560846409519343", "13227297075605735205156259313947404717", "85253462756822884360816865997710830720", "24526966502570633969055920681276582168", "325969589060144690288502607002477657459", "89081833886852685892140623503777474500", "99804003701978462269687672967659361085"], "threshold":0.9}, "id":"ASB-A-273874525-0522e5b7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23", "target":{"file":"system/stack/gatt/gatt_sr.cc"}}, {"deprecated":false, "digest":{"function_hash":"36167147116348345863936788657702224124", "length":1957}, "id":"ASB-A-273874525-16bcc80c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/85f4d53c7bf90b806639a3a302f0007ffb3b9f23", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"build_read_multi_rsp"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-10-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c0151aa3ba76c785b32c7f9d16c98febe53017b1"}]}