CVE-2024-49747 Overview
CVE-2024-49747 is a critical out-of-bounds write vulnerability discovered in the Android Bluetooth stack, specifically in the gatts_process_read_by_type_req function within gatt_sr.cc. This vulnerability arises from a logic error in the GATT (Generic Attribute Profile) server implementation that processes "Read By Type" requests. The flaw enables remote code execution without requiring any user interaction or additional execution privileges, making it particularly dangerous for Android devices with Bluetooth enabled.
Critical Impact
This vulnerability allows remote attackers to execute arbitrary code on vulnerable Android devices via Bluetooth without any user interaction, potentially leading to complete device compromise.
Affected Products
- Google Android 12.0
- Google Android 12.1
- Google Android 13.0
- Google Android 14.0
- Google Android 15.0
Discovery Timeline
- 2025-01-21 - CVE CVE-2024-49747 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2024-49747
Vulnerability Analysis
The vulnerability resides in the GATT server component of Android's Bluetooth stack, specifically within the gatts_process_read_by_type_req() function in gatt_sr.cc. This function is responsible for handling "Read By Type" requests from Bluetooth Low Energy (BLE) clients. The flaw is categorized as CWE-94 (Improper Control of Generation of Code), though the immediate impact manifests as an out-of-bounds write condition.
When processing incoming GATT requests, the function fails to properly validate boundaries due to a logic error, allowing an attacker to write data beyond the intended buffer limits. This memory corruption can be leveraged to achieve remote code execution. The attack can be carried out over a network (Bluetooth) connection without requiring any authentication, prior privileges, or user interaction.
Root Cause
The root cause of CVE-2024-49747 is a logic error in the boundary checking code within gatts_process_read_by_type_req(). When calculating buffer offsets and sizes during the processing of Read By Type requests, the function contains flawed logic that fails to properly constrain write operations. This allows attacker-controlled data to overflow the allocated buffer boundaries, corrupting adjacent memory regions and potentially overwriting critical data structures or function pointers.
Attack Vector
The attack vector for CVE-2024-49747 is network-based via Bluetooth Low Energy communication. An attacker within Bluetooth range of a vulnerable Android device can craft malicious GATT Read By Type requests that trigger the out-of-bounds write condition. The attack flow proceeds as follows:
- The attacker establishes a Bluetooth Low Energy connection with the target device
- The attacker initiates a GATT session with the target's GATT server
- Specially crafted "Read By Type" requests are sent to the target device
- The vulnerable gatts_process_read_by_type_req() function processes the malicious request
- Due to the logic error, an out-of-bounds write occurs, corrupting memory
- The attacker achieves code execution in the Bluetooth process context
Since no user interaction is required and the attack requires no special privileges, exploitation can occur transparently while a user simply has Bluetooth enabled.
Detection Methods for CVE-2024-49747
Indicators of Compromise
- Unexpected Bluetooth service crashes or restarts on Android devices
- Anomalous GATT server activity or unusual Bluetooth connection patterns
- System logs showing memory corruption errors in the Bluetooth stack (gatt_sr.cc related)
- Unexplained process behavior following Bluetooth Low Energy connections
Detection Strategies
- Monitor Android system logs for Bluetooth stack crashes or anomalies, particularly those referencing GATT operations
- Deploy endpoint detection solutions capable of identifying memory corruption exploitation attempts
- Implement network-level Bluetooth monitoring to detect abnormal GATT request patterns
- Use SentinelOne Singularity to monitor for post-exploitation behavior such as privilege escalation or suspicious process spawning
Monitoring Recommendations
- Enable verbose logging for Bluetooth services to capture detailed GATT transaction information
- Monitor for unusual Bluetooth pairing attempts or connection requests from unknown devices
- Implement behavioral analysis to detect anomalous activity following Bluetooth connections
- Configure alerts for Bluetooth service crashes or unexpected restarts
How to Mitigate CVE-2024-49747
Immediate Actions Required
- Apply the January 2025 Android Security Patch immediately to all affected devices
- Disable Bluetooth on devices that cannot be immediately patched when not actively in use
- Review device management policies to ensure timely security update deployment
- Monitor managed devices for signs of compromise using endpoint protection solutions
Patch Information
Google has addressed CVE-2024-49747 in the January 2025 Android Security Bulletin. Organizations and users should update their Android devices to the latest available security patch level. The fix corrects the logic error in the gatts_process_read_by_type_req() function to properly validate buffer boundaries during GATT request processing.
For detailed patch information, refer to the Android Security Bulletin January 2025.
Workarounds
- Disable Bluetooth functionality on devices where patching is not immediately possible
- Limit Bluetooth discoverability and only enable it when actively needed
- Use Bluetooth Low Energy scanning restrictions where supported by device management solutions
- Implement network segmentation to isolate high-value devices from potential Bluetooth-range attackers
# Disable Bluetooth via ADB for enterprise-managed devices
adb shell settings put global bluetooth_on 0
adb shell svc bluetooth disable
# Verify Bluetooth status
adb shell settings get global bluetooth_on
# Expected output: 0 (disabled)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
