cbcvebase.
CVE-2021-0397
published 2021-03-10

CVE-2021-0397: In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.67%
92.0th percentile
In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174052148

Affected

10 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformsystem_bt>= 10:0 < 10:2021-03-0110:2021-03-01
platformsystem_bt>= 11:0 < 11:2021-03-0111:2021-03-01
platformsystem_bt>= 8.1:0 < 8.1:2021-03-018.1:2021-03-01
platformsystem_bt>= 9:0 < 9:2021-03-019:2021-03-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in sdp_copy_raw_data() within sdp_discovery.cc — monitor for exploitation attempts targeting the Android Bluetooth SDP stack (double-free leading to RCE)
  • No user interaction is required for exploitation — treat any anomalous Bluetooth SDP traffic to Android 8.1/9/10/11 devices as potentially malicious
  • Patch reference A-174052148 in Android Security Bulletin 2021-03-01; unpatched devices running AOSP 8.1, 9, 10, or 11 are at risk — use patch-level checks to identify exposed assets
  • ·Exploitation is zero-click and remote — no privileges or user interaction required, making this suitable for drive-by Bluetooth attacks against unpatched Android devices
  • ·The vulnerability affects a broad range of Android versions (8.1 through 11); Samsung issued a patch in its March 2021 security update addressing this critical flaw

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.