Platform System Bt vulnerabilities

CVE-2021-0968 CVE-2021-0968: In osi_malloc and osi_calloc of allocator In osi_malloc and osi_calloc of allocator.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-1007 CVE-2021-1007: In btu_hcif_process_event of btu_hcif In btu_hcif_process_event of btu_hcif.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0918 CVE-2021-0918: In gatt_process_notification of gatt_cl In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0589 CVE-2021-0589: In BTM_TryAllocateSCN of btm_scn In BTM_TryAllocateSCN of btm_scn.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-26558 CVE-2020-26558: In smp_process_pairing_public_key of smp_act In smp_process_pairing_public_key of smp_act.cc, there is a possible interception of Bluetooth pairing from an on-path attacker due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0522 CVE-2021-0522: In ConnectionHandler::SdpCb of connection_handler In ConnectionHandler::SdpCb of connection_handler.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-26555 CVE-2020-26555: In btm_sec_pin_code_request of btm_sec In btm_sec_pin_code_request of btm_sec.cc, there is a possible bypass of Bluetooth pairing pin-code due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2021-0507 CVE-2021-0507: In handle_rc_metamsg_cmd of btif_rc In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0504 CVE-2021-0504: In avrc_pars_browse_rsp of avrc_pars_ct In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0474 CVE-2021-0474: In avrc_msg_cback of avrc_api In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0476 CVE-2021-0476: In FindOrCreatePeer of btif_av In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0475 CVE-2021-0475: In on_l2cap_data_ind of btif_sock_l2cap In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0435 CVE-2021-0435: In avrc_proc_vendor_command of avrc_api In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0431 CVE-2021-0431: In avrc_msg_cback of avrc_api In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0397 CVE-2021-0397: In sdp_copy_raw_data of sdp_discovery In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2021-0316 CVE-2021-0316: In avrc_pars_vendor_cmd of avrc_pars_tg In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-0471 CVE-2020-0471: In reassemble_and_dispatch of packet_fragmenter In reassemble_and_dispatch of packet_fragmenter.cc, there is a possible way to inject packets into an encrypted Bluetooth connection due to improper input validation. This could lead to remote escalation of privilege between two Bluetooth devices by a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-0463 CVE-2020-0463: In sdp_server_handle_client_req of sdp_server In sdp_server_handle_client_req of sdp_server.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure from the bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-15802 CVE-2020-15802: In smp_key_distribution of smp_act In smp_key_distribution of smp_act.cc, there are possible vulnerabilities in Cross-Transport Key Derivation due to weaknesses in the Bluetooth standard. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2020-0449 CVE-2020-0449: In btm_sec_disconnected of btm_sec In btm_sec_disconnected of btm_sec.cc, there is a possible memory corruption due to a use after free. This could lead to remote code execution in the Bluetooth server with no additional execution privileges needed. User interaction is needed for exploitation.