CVE-2025-48593

"A single malicious packet can own your device." — Android Security Team, Nov 2025

Zero-Click Remote Code Execution in Android System (Bluetooth Subsystem)

---

⚠️ Critical Scope Clarification (Updated April 2026)

Standard phones and tablets are NOT vulnerable. CVE-2025-48593 only affects Android devices that support acting as Bluetooth headphones/speakers — such as smartwatches, smart glasses, and cars. Additionally, an attacker must get the victim to accept a Bluetooth pairing request before exploiting the headset service. Simply declining the pairing request provides protection. Source: Independent PoC researcher (worthdoingbadly.com, Dec 2025)

---

Vulnerability Snapshot

Attribute	Details
CVE ID	CVE-2025-48593
Severity	Critical (RCE, Zero-Click)
CVSS v3.1 Score	7.8 (HIGH) ✅ NVD Confirmed
CVSS Vector	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector	Local / Network (Bluetooth)
User Interaction	❌ None Required
Privileges Required	❌ None
Root Cause	Use-After-Free in bta_hf_client_cb_init (bta_hf_client_main.cc)
Android Bug ID	A-374746961
Exploit Status	⚠️ Emulator PoC exists — No confirmed attacks on real devices
Disclosed	November 3, 2025 (Google November Android Security Bulletin)

⚠️ Note: The original estimated CVSS of 9.8 has been revised. NVD has officially confirmed the score as 7.8 (HIGH). The vulnerability is local-attack-vector rather than fully remote network-level.

---

Affected Devices & Versions

Android Version	Affected Builds
Android 13	All builds Oct 2023 – Oct 2025
Android 14	All builds Oct 2023 – Oct 2025
Android 15	All builds up to Oct 2025
Android 16	Builds Jul 2025 – Oct 2025 ⚠️

Devices running patch level 2025-11-01 or later are protected.

✅ GrapheneOS users are additionally protected via hardened_malloc and hardware memory tagging, which significantly mitigate this class of memory corruption vulnerability even on unpatched builds.

---

Root Cause & Technical Breakdown

The vulnerability resides in the Bluetooth subsystem, specifically in the bta_hf_client_cb_init function within bta_hf_client_main.cc. It is a use-after-free flaw in the Bluetooth Hands-Free Profile (HFP) client implementation. The fix involved two commits to the Bluetooth module.

// Simplified pseudocode illustrating the vulnerable path
void bta_hf_client_cb_init(tBTA_HF_CLIENT_CB *client_cb) {
    free(client_cb->p_disc_db);        // SDP discovery DB freed on error
    // ... other processing ...
    use(client_cb->p_disc_db);         // ⚠️ use-after-free! CVE-2025-48593
    execute_callback(client_cb);        // attacker-controlled code path
}

Precise trigger: Before the patch, when a phone answers an SDP discovery with an error, bta_hf_client_sdp_cback emits BTA_HF_CLIENT_DISC_INT_RES_EVT, causing tSDP_DISCOVERY_DB to be freed while a stale pointer (client_cb->p_disc_db) still exists in the unallocated pool — leaving a dangling reference ready to be exploited.

Attack Vectors: Malformed Bluetooth packets crafted to trigger the HFP handler during SDP negotiation.

Impact: The vulnerable handler runs in a privileged Bluetooth process context with no user interaction required, enabling silent code execution.

⚠️ The flaw only affects devices acting as Bluetooth headset/speaker clients (e.g., smartwatches, smart glasses, Android Automotive). Standard phones and tablets do not expose the HFP headset service by default.

---

Exploit Status (Updated: April 2026)

Status	Details
Public PoC	⚠️ Emulator crash PoC exists (crashes Bluetooth service only) — does not defeat ASLR
Real-device attacks	✅ None documented as of April 2026
Weaponized exploit	❌ No confirmed weaponized exploit; PoC not viable for real attackers
Fraudulent exploit sales	⚠️ Reported — likely malware/scams, not working exploits
Malware associations	⚠️ Airstalk & Chrysaor named by some sources — unverified, treat with caution
LineageOS patch	✅ Incorporated into LineageOS source

---

Immediate Mitigation Steps

# 1. Check your patch level
adb shell getprop ro.build.version.security_patch
# → Should show: 2025-11-01 or later

For Users

1. Update Now — ⚙️ Settings → System → System Update
2. Enable Play Protect — Google Play → Play Protect → Scan
3. Disable Bluetooth when not in use — especially in public spaces (critical for smartwatch/glasses/car users)
4. Decline unknown Bluetooth pairing requests — attacker requires accepted pairing before exploitation
5. Do not sideload apps from untrusted sources

For Enterprise / OEM

• Apply the 2025-11-05 security patch via AOSP
• Enforce patch rollouts via MDM/EMM; block unpatched devices from sensitive resources
• Monitor for anomalous Bluetooth traffic and unexpected kernel crashes
• Apply platform mitigations: ASLR, stack canaries, CFI where possible
• Consider GrapheneOS or hardened builds for high-risk deployments — hardened_malloc and HW memory tagging mitigate this class of flaw
• Harden input validation on system/Bluetooth boundaries

For Researchers

Only test on devices you own or have explicit permission to test. Use isolated labs with no production connectivity. Follow coordinated disclosure. Never publish weaponized exploit code.

---

Technical Attack Chain

Stage	Action	Requirement
1. Pairing	Attacker gets victim to accept BT pairing	Victim accepts pairing
2. Packet Crafting	Attacker builds malformed Bluetooth HFP SDP packet	None
3. Transmission	Sent over Bluetooth channel	Proximity / BT range
4. Reception	Device receives packet (no further user action)	Unpatched Android 13–16 with HFP headset mode
5. Processing	Bluetooth HFP handler processes SDP error response	Vulnerable code path
6. Use-After-Free	Freed p_disc_db pointer referenced, attacker controls ptr	Memory layout assumption
7. Execution	Arbitrary code runs in Bluetooth process context	Pre-ASLR defeat required
8. Persistence	Install malware, exfiltrate data, pivot	Full device control

---

Exploitation Flow

sequenceDiagram
    participant Attacker as Attacker
    participant BT as Bluetooth Channel
    participant Device as Android Device (Headset Mode)
    participant System as Bluetooth HFP Handler

    Attacker->>Device: Request Bluetooth Pairing
    Device-->>Attacker: Victim accepts pairing
    Attacker->>BT: Send Malformed HFP SDP Packet
    BT->>Device: Deliver Packet (Zero further interaction)
    Device->>System: bta_hf_client_sdp_cback(error)
    Note over System: p_disc_db freed, dangling pointer remains
    Note over System: ⚠️ Use-After-Free triggered
    System-->>Device: Corrupted memory / dangling pointer
    Device->>System: Execute attacker-controlled code
    System->>Attacker: Remote Shell / Data Exfiltration
    Note over Device,System: Full RCE Achieved

Loading

---

Patch Application Flow

graph TD
    A[Google Releases Patch\nNov 1/5, 2025] --> B{OEM Integration}
    B --> C[Samsung, OnePlus, etc.]
    B --> D[Google Pixel]
    B --> E[LineageOS ✅ Patched]
    B --> F[GrapheneOS ✅ Patched\n+ hardened_malloc mitigation]
    C --> G[Monthly Security Update]
    D --> H[Pixel OTA Push]
    G & H & E & F --> I[User Installs Update]
    I --> J[Patch Level: 2025-11-01+]
    J --> K[✅ CVE-2025-48593 Mitigated]
    style A fill:#1976d2,color:#fff
    style K fill:#1b5e20,color:#fff
    style I fill:#ff9800,color:#fff

Loading

---

Defense-in-Depth

graph LR
    subgraph "Prevention"
        P1[Apply Nov 2025 Patch]
        P2[Disable Unused Bluetooth]
        P3[Google Play Protect]
        P4[Decline Unknown BT Pairings]
        P5[Use GrapheneOS / Hardened Build]
    end
    subgraph "Detection"
        D1[Monitor Anomalous BT Traffic]
        D2[Watch for Bluetooth Service Crashes]
        D3[Endpoint Forensics]
    end
    subgraph "Response"
        R1[Isolate Device]
        R2[Force OTA Update]
        R3[Report to Google/OEM]
    end
    P1 & P2 & P3 & P4 & P5 --> D1 & D2 & D3 --> R1 & R2 & R3
    style P1 fill:#1b5e20,color:#fff
    style R1 fill:#b71c1c,color:#fff

Loading

---

Related CVEs

CVE	Severity	Type	Affected	Status
CVE-2025-48581	High	EoP	Android 16 only	Patched Nov 2025
CVE-2025-48633	High	Info Disclosure	Android Framework	⚠️ Actively exploited — CISA KEV Dec 2, 2025
CVE-2025-48572	High	EoP	Android Framework	⚠️ Actively exploited — CISA KEV Dec 2, 2025

CVE-2025-48633 and CVE-2025-48572 were added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 2, 2025. U.S. federal agencies were mandated to patch by December 23, 2025.

---

Changelog

Date	Update
Nov 3, 2025	Initial disclosure via Google November Android Security Bulletin
Nov 5, 2025	AOSP patch released (two commits to Bluetooth module)
Nov 22, 2025	Root cause clarified: use-after-free in bta_hf_client_cb_init (bta_hf_client_main.cc)
Dec 2, 2025	Related CVEs 48633 & 48572 added to CISA KEV catalog
Dec 2025	Independent PoC published — confirms phones/tablets NOT affected; only BT headset-mode devices vulnerable; pairing consent required
Mar 2026	NVD CVSS confirmed at 7.8 HIGH; no real-device exploitation confirmed
Apr 2026	Scope clarification elevated to top-level warning; GrapheneOS mitigation noted; malware associations (Airstalk, Chrysaor) flagged as unverified

---

References

• 🔗 Android Security Bulletin – November 2025
• 🔍 NVD Entry – CVE-2025-48593
• 🛠️ AOSP Patch – Search CVE-2025-48593 in Android Git
• 📋 CISA KEV Catalog
• 🔗 SOC Prime Analysis
• 🔗 Wiz Vulnerability Database
• 🔗 SentinelOne Technical Analysis
• 🔬 Independent PoC Research – worthdoingbadly.com (Confirms phones/tablets not affected)
• 💬 GrapheneOS Discussion – Technical Details
• 🐙 blueshrimp PoC – GitHub