cbcvebase.
CVE-2023-21250
published 2023-07-13

CVE-2023-21250: In gatt_end_operation of gatt_utils.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.50%
38.8th percentile
In gatt_end_operation of gatt_utils.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected

14 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformpackages_modules_bluetooth>= 13-next:0 < 13-next:2023-07-0113-next:2023-07-01
platformpackages_modules_bluetooth>= 13:0 < 13:2023-07-0113:2023-07-01
platformsystem_bt>= 11:0 < 11:2023-07-0111:2023-07-01
platformsystem_bt>= 12:0 < 12:2023-07-0112:2023-07-01
platformsystem_bt>= 12L:0 < 12L:2023-07-0112L:2023-07-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in gatt_end_operation() within gatt_utils.cc — monitor for anomalous GATT operation termination flows in Bluetooth stack processes on Android (AOSP 11, 12, 12L, 13)
  • No user interaction required and no additional privileges needed — exploit can be triggered remotely over Bluetooth without any victim action; prioritize detection of unexpected Bluetooth GATT traffic patterns
  • Affected Android versions are 11, 12, 12L, and 13 — scope detection and patch verification efforts to devices running these AOSP versions
  • Internal Android bug tracker reference A-261068592 can be used to cross-reference patch commits in AOSP Gerrit for diff-based detection of the missing bounds check fix in gatt_utils.cc
  • ·Rated CRITICAL with RCE impact and zero-click, zero-privilege exploitation — no mitigating configuration is documented in the sources; patching via the July 2023 Android Security Bulletin is the only remediation referenced
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.