CVE-2025-0074 Overview
A critical use-after-free vulnerability exists in the process_service_attr_rsp function within the Android Bluetooth stack's SDP (Service Discovery Protocol) discovery module (sdp_discovery.cc). This memory corruption flaw enables remote attackers to execute arbitrary code on vulnerable Android devices without requiring any user interaction or special privileges.
Critical Impact
This vulnerability allows for remote code execution over Bluetooth with no user interaction required, potentially enabling complete device compromise through the Android Bluetooth subsystem.
Affected Products
- Google Android 15.0
Discovery Timeline
- 2025-08-26 - CVE CVE-2025-0074 published to NVD
- 2025-09-02 - Last updated in NVD database
Technical Details for CVE-2025-0074
Vulnerability Analysis
This use-after-free vulnerability resides in the Bluetooth SDP discovery component of Android, specifically within the process_service_attr_rsp function in sdp_discovery.cc. The vulnerability occurs when processing service attribute responses during Bluetooth service discovery operations.
A use-after-free condition arises when memory that has been deallocated is subsequently accessed. In this case, the SDP response handler improperly manages memory lifecycle during the processing of service attribute responses, allowing an attacker to manipulate freed memory regions. Since this vulnerability is network-accessible via Bluetooth and requires no authentication or user interaction, it represents a severe threat to device security.
Successful exploitation could grant attackers the ability to execute arbitrary code within the context of the Bluetooth daemon process, potentially leading to full device compromise, data exfiltration, or persistent malware installation.
Root Cause
The root cause is a CWE-416 (Use After Free) memory management error in the process_service_attr_rsp function. The function fails to properly track the lifecycle of dynamically allocated memory structures used during SDP attribute response parsing. When specific sequences of SDP responses are processed, previously freed memory can be referenced, leading to undefined behavior that attackers can leverage for code execution.
Attack Vector
The attack vector is network-based, exploiting the Bluetooth protocol stack. An attacker within Bluetooth range of a vulnerable device can craft malicious SDP responses that trigger the use-after-free condition. The attack does not require the victim to take any action—simply having Bluetooth enabled can expose the device to exploitation. No authentication or elevated privileges are needed to initiate the attack, making this a particularly dangerous zero-click vulnerability.
The malicious SDP responses manipulate memory allocation patterns to achieve controlled memory corruption, which can then be leveraged to redirect execution flow and achieve arbitrary code execution.
Detection Methods for CVE-2025-0074
Indicators of Compromise
- Unusual Bluetooth daemon crashes or restarts (com.android.bluetooth process abnormal terminations)
- Unexpected Bluetooth connections from unknown or suspicious devices
- Memory corruption artifacts in Android system logs related to Bluetooth SDP operations
- Anomalous heap allocation patterns in the Bluetooth process memory space
Detection Strategies
- Monitor Android system logs for Bluetooth daemon crashes with stack traces pointing to sdp_discovery.cc or process_service_attr_rsp
- Implement Bluetooth connection monitoring to detect unusual service discovery patterns from untrusted devices
- Deploy mobile threat detection solutions capable of identifying exploitation attempts against the Bluetooth stack
- Utilize Android's built-in crash reporting to identify patterns consistent with memory corruption attacks
Monitoring Recommendations
- Enable verbose Bluetooth logging during security assessments to capture SDP transaction details
- Implement network-level Bluetooth traffic analysis to detect malformed SDP packets
- Monitor for unauthorized Bluetooth pairing attempts or service discovery requests from unknown devices
- Deploy SentinelOne Mobile Threat Defense to provide real-time protection against Bluetooth-based attacks
How to Mitigate CVE-2025-0074
Immediate Actions Required
- Apply the March 2025 Android security patch immediately to all affected devices
- Disable Bluetooth on devices that cannot be immediately patched, especially in high-risk environments
- Restrict Bluetooth discoverability to minimize exposure to potential attackers
- Ensure Android devices are configured to require user confirmation for Bluetooth pairing requests
Patch Information
Google has addressed this vulnerability in the Android Security Bulletin March 2025. The fix is available through the Android Bluetooth Module Update (commit 37bcf769c1aa8dfa8e5524858d47f6a80b765fa4). Organizations should prioritize deploying this update to all Android 15.0 devices through their mobile device management (MDM) solutions.
Workarounds
- Disable Bluetooth when not actively in use to eliminate the attack surface
- Enable Bluetooth in non-discoverable mode to reduce exposure to opportunistic attacks
- Implement network segmentation to isolate Bluetooth-enabled devices from critical infrastructure
- Use mobile device management policies to enforce Bluetooth security configurations across enterprise device fleets
- Consider temporarily blocking Bluetooth functionality via MDM for high-security environments until patches can be deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
