A critical remote code execution vulnerability has been identified in the Bluetooth driver of the Android operating system. An unauthenticated attacker within Bluetooth range can exploit this flaw to execute malicious code, potentially gaining complete control over an affected device. This could lead to total loss of confidentiality, integrity, and availability of the device and its data without any user interaction.

The vulnerability is an out-of-bounds write within the Android Bluetooth driver. It stems from an incorrect bounds check when processing certain Bluetooth packets. An attacker can craft a malicious Bluetooth packet that, when processed by a vulnerable device, causes data to be written outside of the intended memory buffer. This memory corruption can be leveraged to overwrite critical system data or function pointers, leading to arbitrary code execution with the privileges of the Bluetooth driver, which are often elevated (kernel-level). Exploitation requires the attacker to be within physical proximity (Bluetooth range) of the target device but does not require prior pairing or any user interaction.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the ease of exploitation and the severe potential impact. Successful exploitation could grant an attacker complete control over an employee's mobile device, leading to significant business risks. These risks include the theft of sensitive corporate data (emails, documents, credentials), the installation of persistent spyware for long-term surveillance, using the compromised device as a pivot point to attack the internal corporate network, and disruption of business continuity. A widespread compromise of company-managed mobile devices could result in significant financial and reputational damage.

Immediate Action: The primary remediation is to apply the security updates provided by Google and the respective device manufacturers. System administrators should use their Mobile Device Management (MDM) platform to enforce the installation of the latest Android security patches on all corporate-owned and managed devices. End-users of personal devices should be instructed to immediately check for and apply system updates via Settings > System > System update.

Proactive Monitoring: Monitor for anomalous behavior on managed mobile devices. This includes unexpected crashes or restarts of the Bluetooth service, which may be logged by an MDM or EDR solution. Network monitoring should be used to detect unusual outbound traffic from mobile devices to unknown IP addresses, which could indicate a post-exploitation command-and-control (C2) connection.

Compensating Controls: If patching cannot be immediately deployed, implement the following controls:

• Disable Bluetooth: Enforce a policy through MDM to disable Bluetooth on all devices. If an MDM policy is not possible, instruct all users to manually turn off Bluetooth when it is not actively in use, especially in public or untrusted environments.
• User Awareness: Communicate the risk to all employees, explaining the threat and the importance of applying updates and disabling Bluetooth.
• Network Segmentation: Ensure that mobile devices connect to a segmented network (e.g., a guest Wi-Fi network) that is isolated from critical internal corporate resources to limit the lateral movement of an attacker.

Public Exploit Available: false

This vulnerability poses a severe and immediate threat to the organization. We recommend that the patching of all affected Android devices be treated as the highest priority. The IT security team must use its device management capabilities to identify all vulnerable assets and expedite the deployment of the required security updates. For devices that cannot be patched immediately, the compensating control of disabling Bluetooth must be enforced. Due to the critical CVSS score and the low-complexity attack vector, this vulnerability should be addressed with urgency, regardless of its current CISA KEV status.