CVE-2025-0074 Overview
CVE-2025-0074 is a use-after-free vulnerability in the Android Bluetooth stack, specifically within the process_service_attr_rsp function of sdp_discovery.cc. The flaw allows remote attackers to execute arbitrary code on affected Android 15 devices without requiring user interaction or additional execution privileges. Exploitation occurs over the network attack surface exposed by the Service Discovery Protocol (SDP) component of Bluetooth. Google addressed the issue in the March 2025 Android Security Bulletin through a Bluetooth module update.
Critical Impact
Attackers can achieve remote code execution on Android 15 devices through the Bluetooth SDP stack without user interaction, enabling silent device compromise within Bluetooth range.
Affected Products
- Google Android 15.0
- Android Bluetooth module (packages/modules/Bluetooth)
- Devices receiving security patch level prior to 2025-03-01
Discovery Timeline
- 2025-08-26 - CVE-2025-0074 published to the National Vulnerability Database
- 2025-09-02 - Last updated in NVD database
Technical Details for CVE-2025-0074
Vulnerability Analysis
The vulnerability resides in process_service_attr_rsp, a handler within sdp_discovery.cc responsible for parsing Service Discovery Protocol (SDP) attribute responses. SDP is the Bluetooth protocol used to discover available services and their attributes on remote devices. The function mishandles object lifetime during response processing, leading to a use-after-free condition classified as [CWE-416].
When the freed memory is later dereferenced or reallocated with attacker-controlled data, an adversary can corrupt execution flow. Successful exploitation yields arbitrary code execution within the Bluetooth process context. No authentication is required, and the attack proceeds without any user interaction on the target device.
Root Cause
The root cause is improper memory management in the SDP discovery state machine. An object referenced during attribute response processing is released while a pointer to it remains in use. Subsequent operations on the dangling pointer allow attacker-supplied data to be interpreted as a valid object, including function pointers or virtual table entries.
Attack Vector
The attack vector is network-adjacent over Bluetooth. An attacker within Bluetooth range crafts malformed SDP attribute response packets and delivers them during service discovery interactions. Because SDP exchanges can occur during pairing or routine device enumeration, exploitation does not require the victim to accept any prompt or open any application.
The vulnerability manifests during parsing of SDP attribute responses in the Bluetooth daemon. Refer to the Google Bluetooth Module Update for the upstream fix and the Android Security Bulletin March 2025 for vendor guidance.
Detection Methods for CVE-2025-0074
Indicators of Compromise
- Unexpected crashes or restarts of the com.android.bluetooth process in logcat and tombstone files
- Anomalous SDP service discovery requests from unknown Bluetooth peers in proximity to managed devices
- Bluetooth stack memory faults referencing process_service_attr_rsp or sdp_discovery symbols
- Devices reporting a security patch level earlier than 2025-03-01
Detection Strategies
- Inventory mobile fleet patch levels and flag any Android 15 device below the 2025-03-01 security patch level
- Monitor mobile device management (MDM) telemetry for repeated Bluetooth service crashes that may indicate exploitation attempts
- Correlate Bluetooth proximity alerts with device crash reports to identify targeted attacks
Monitoring Recommendations
- Enable crash reporting and tombstone collection on managed Android endpoints for forensic review
- Track Bluetooth pairing and discovery events through MDM logs to baseline normal behavior
- Alert on Android devices that fall out of compliance with the March 2025 or later security patch baseline
How to Mitigate CVE-2025-0074
Immediate Actions Required
- Apply the March 2025 Android security patch level (2025-03-01 or later) to all Android 15 devices
- Disable Bluetooth on devices that cannot receive the patch, particularly in untrusted environments
- Restrict Bluetooth discoverability and pairing on managed devices through MDM policy until patched
Patch Information
Google released the fix in the Android Security Bulletin March 2025. The corresponding source change is available in the Google Bluetooth Module Update commit 37bcf769c1aa8dfa8e5524858d47f6a80b765fa4. Device manufacturers ship the fix through their respective OTA channels, so administrators should confirm vendor-specific availability for each device model.
Workarounds
- Turn off Bluetooth when not in active use, especially in public or high-risk environments
- Set devices to non-discoverable mode to reduce exposure to unsolicited SDP requests
- Enforce MDM configuration profiles that block Bluetooth on devices pending patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
