CVE-2025-22403
Published: 26 August 2025
Summary
CVE-2025-22403 is a critical-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in the Android Bluetooth stack by requiring timely patching as provided in the vendor security bulletin.
Implements memory protection safeguards like ASLR and DEP to prevent arbitrary code execution resulting from the use-after-free condition.
Authorizes, monitors, and controls wireless access to restrict unauthenticated Bluetooth SDP service search requests that trigger the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Bluetooth SDP service allows unauthenticated remote code execution via crafted SDP requests, directly mapping to exploitation of a remotely accessible service (T1190/T1210).
NVD Description
In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Deeper analysisAI
CVE-2025-22403 is a use-after-free vulnerability (CWE-416) in the sdp_snd_service_search_req function within sdp_discovery.cc, part of the Android Bluetooth stack located in platform/packages/modules/Bluetooth. Published on 2025-08-26, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution without requiring additional privileges or user interaction.
A remote attacker can exploit this vulnerability by sending a specially crafted SDP service search request over Bluetooth, triggering the use-after-free condition. No authentication, privileges, or user involvement is needed, allowing exploitation from network-accessible range via Bluetooth. Successful exploitation enables arbitrary code execution on the affected device.
Mitigation is addressed in the Android Security Bulletin for March 2025 at https://source.android.com/security/bulletin/2025-03-01, with a specific patch commit available at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/37bcf769c1aa8dfa8e5524858d47f6a80b765fa4. Security practitioners should ensure affected Android devices apply these updates to prevent exploitation.
Details
- CWE(s)