CVE-2023-21108 Overview
CVE-2023-21108 is a use-after-free vulnerability [CWE-416] in the Android Bluetooth stack, specifically in the sdpu_build_uuid_seq function of sdp_discovery.cc. The flaw allows an out-of-bounds write that can lead to remote code execution over Bluetooth when Hands-Free Profile (HFP) support is enabled. Exploitation requires no user interaction and no additional execution privileges. The vulnerability affects multiple Android versions and was addressed in the June 2023 Android Security Bulletin.
Critical Impact
Adjacent-network attackers within Bluetooth range can achieve remote code execution on vulnerable Android devices without user interaction when HFP is enabled.
Affected Products
- Google Android 11
- Google Android 12 and Android 12L
- Google Android 13
Discovery Timeline
- 2023-06-01 - Google releases security patch in the Android Security Bulletin
- 2023-06-15 - CVE-2023-21108 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-21108
Vulnerability Analysis
The vulnerability resides in sdpu_build_uuid_seq, a helper routine inside the Service Discovery Protocol (SDP) discovery logic at sdp_discovery.cc. The function constructs a sequence of Universally Unique Identifiers (UUIDs) during SDP transactions. A use-after-free condition allows the function to write outside the bounds of a freed buffer.
The Hands-Free Profile (HFP) path triggers the vulnerable code, expanding the attack surface on devices where HFP is active. Because SDP operates beneath the application layer, no user prompt or interaction is required to reach the vulnerable code path. An attacker within Bluetooth radio range can deliver a crafted SDP request that drives the device into the unsafe state.
Root Cause
The root cause is a use-after-free [CWE-416] in the Bluetooth SDP layer. The function sdpu_build_uuid_seq operates on a buffer reference after the underlying memory has been freed or reallocated. Subsequent writes corrupt adjacent heap structures, producing an out-of-bounds write primitive that can be groomed into control-flow hijack.
Attack Vector
The attack vector is Adjacent Network (Bluetooth). An attacker within Bluetooth range crafts SDP discovery traffic targeting the HFP service. The malformed exchange forces the vulnerable code to dereference freed memory and write attacker-influenced data. With reliable heap shaping, this primitive can be escalated to arbitrary code execution inside the privileged Bluetooth process. No authentication or pairing approval is required for the initial SDP transaction in many configurations, which removes the user interaction barrier.
No public proof-of-concept code is available for this issue. See the Android Security Bulletin 2023-06-01 for vendor technical details.
Detection Methods for CVE-2023-21108
Indicators of Compromise
- Unexpected crashes or restarts of the Bluetooth stack (com.android.bluetooth) shortly after inbound SDP discovery requests.
- Tombstone files referencing sdpu_build_uuid_seq or sdp_discovery.cc in /data/tombstones/.
- Anomalous Bluetooth pairing or SDP traffic from unknown nearby devices observed in HCI logs.
Detection Strategies
- Monitor Android device logs (logcat, bug reports) for repeated Bluetooth stack native crashes that correlate across a fleet.
- Enable Bluetooth HCI snoop logs on managed devices and inspect for malformed SDP ServiceSearchAttribute requests with unusual UUID sequence lengths.
- Use Mobile Threat Defense telemetry to flag devices running Android 11–13 build levels below the 2023-06-01 security patch level.
Monitoring Recommendations
- Track the ro.build.version.security_patch property across managed devices and alert on values earlier than 2023-06-01.
- Correlate Bluetooth-related crash signatures with proximity-based events from physical security or location telemetry.
- Audit which fleet devices have HFP enabled and treat them as higher-risk until patched.
How to Mitigate CVE-2023-21108
Immediate Actions Required
- Apply the June 2023 (2023-06-01) Android security patch level or later to all Android 11, 12, 12L, and 13 devices.
- Disable Bluetooth on devices that cannot be patched, especially in untrusted physical environments.
- Enforce a minimum security patch level through Mobile Device Management (MDM) compliance policies and block non-compliant devices from corporate resources.
Patch Information
Google released the fix in the June 2023 Android Security Bulletin. The patch is identified by Android ID A-239414876 and addresses the use-after-free in sdpu_build_uuid_seq. Device vendors distribute the fix as part of the 2023-06-01 security patch level. Reference: Android Security Bulletin 2023-06-01.
Workarounds
- Turn Bluetooth off when not in use to remove the adjacent-network attack surface.
- Disable or unpair Hands-Free Profile devices on unpatched handsets, since HFP is the trigger condition called out in the advisory.
- Keep devices out of Bluetooth discoverable mode in public or untrusted locations until the patch is applied.
# Verify the Android security patch level on a device via adb
adb shell getprop ro.build.version.security_patch
# A value of 2023-06-01 or later indicates the fix for CVE-2023-21108 is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
