CVE-2025-22412 Overview
CVE-2025-22412 is a use-after-free vulnerability [CWE-416] in multiple functions of sdp_server.cc within the Android Bluetooth module. The flaw stems from a logic error in the Service Discovery Protocol (SDP) server code. An attacker within Bluetooth range can trigger the condition to achieve remote code execution without elevated privileges. User interaction is not required for exploitation. Google addressed the issue in the Android Security Bulletin published on March 1, 2025.
Critical Impact
Proximity-based remote code execution on Android 15 devices via crafted Bluetooth SDP traffic, requiring no user interaction and no additional privileges.
Affected Products
- Google Android 15.0
- Android Bluetooth module (packages/modules/Bluetooth)
- Devices receiving the March 2025 Android Security Bulletin patch level
Discovery Timeline
- 2025-03-01 - Google publishes fix in the Android Security Bulletin
- 2025-08-26 - CVE-2025-22412 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-22412
Vulnerability Analysis
The vulnerability resides in sdp_server.cc, the component that handles inbound Service Discovery Protocol requests over Bluetooth. SDP enables Bluetooth peers to enumerate services exposed by a device during pairing and connection setup. A logic error in this code path causes the server to reference memory that has already been freed. When the attacker drives the server into the vulnerable state, the dangling pointer dereferences attacker-influenced data. This can corrupt control structures and pivot execution into attacker-controlled code within the Bluetooth process.
Root Cause
The root cause is a use-after-free [CWE-416] introduced by inconsistent object lifetime management across multiple SDP handler functions. One code path releases an SDP record or associated buffer while a sibling path retains and later reuses the pointer. The corresponding fix was committed to the Android Bluetooth tree under change 806774b1cf641e0c0e7df8024e327febf23d7d7c. See the Android Bluetooth Module Update for the source-level change.
Attack Vector
Exploitation requires Bluetooth radio proximity to the target device. Bluetooth must be enabled, which is the default state on most Android handsets and wearables. The attacker sends crafted SDP requests that exercise the vulnerable handler sequence in sdp_server.cc and free the underlying object while a stale reference remains. A follow-up request then reuses the dangling pointer to corrupt memory in the Bluetooth daemon. Successful exploitation yields code execution in the context of the Bluetooth process without any tap, click, or pairing confirmation from the user. No verified public proof-of-concept exists at this time.
Detection Methods for CVE-2025-22412
Indicators of Compromise
- Unexpected crashes, restarts, or tombstone entries for the Bluetooth process (com.android.bluetooth) in logcat and /data/tombstones/.
- Anomalous inbound SDP requests from unpaired peers, especially repeated or malformed service search and attribute requests.
- Bluetooth daemon memory corruption signatures reported by AddressSanitizer or HWASan builds.
Detection Strategies
- Monitor Android device telemetry for repeated Bluetooth stack crashes correlated with nearby unknown Bluetooth MAC addresses.
- Use mobile threat defense tooling to flag devices running pre-March 2025 security patch levels still exposed to adjacent-network Bluetooth attacks.
- Inspect HCI snoop logs (btsnoop_hci.log) for unusual SDP PDU sequences targeting service discovery handlers.
Monitoring Recommendations
- Track the Android security patch level field (ro.build.version.security_patch) across the fleet and alert on devices below 2025-03-01.
- Centralize crash and Bluetooth subsystem logs through enterprise mobility management for retrospective hunting.
- Watch for excessive Bluetooth advertising or SDP scans in physical environments where sensitive Android devices operate.
How to Mitigate CVE-2025-22412
Immediate Actions Required
- Apply the March 2025 Android security patch level or later to all affected Android 15 devices.
- Identify devices that cannot receive the patch and disable Bluetooth on them until a vendor update is available.
- Restrict device discoverability and unpair unknown peers to reduce attacker proximity opportunities.
Patch Information
Google published the fix in the Android Security Bulletin March 2025. Device manufacturers integrate the change into their own OTA releases on independent schedules. The upstream source change is available in the Android Bluetooth Module Update. Confirm patch deployment by verifying that ro.build.version.security_patch reports 2025-03-01 or later.
Workarounds
- Disable Bluetooth on devices that have not yet received the March 2025 or later patch level.
- Avoid leaving Bluetooth in discoverable mode in untrusted physical environments such as conferences and transit hubs.
- Enforce mobile device management policies that block Bluetooth on high-risk roles until patch compliance is verified.
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2025-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

