Cyber Resilience

CVE-2025-22403

Critical

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0226 85.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22403 is a critical-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22403 is a use-after-free vulnerability (CWE-416) in the function sdp_snd_service_search_req within sdp_discovery.cc of the Android Bluetooth module. The flaw resides in packages/modules/Bluetooth and carries a CVSS 3.1 score of 9.8, reflecting network-accessible arbitrary code execution without privileges or user interaction.

An unauthenticated remote attacker can trigger the condition over Bluetooth to achieve arbitrary code execution on an affected device. No additional execution privileges are required, and the attack does not depend on user interaction.

The March 2025 Android security bulletin and the referenced commit in the Bluetooth repository address the issue through source-level remediation; practitioners should apply the corresponding patch or the March 2025 Android monthly update to eliminate the vulnerable code path. The associated EPSS score remains flat at 0.0226 with no observed increase after disclosure.

EU & UK References

Vulnerability details

In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Use-after-free in Bluetooth SDP service allows unauthenticated remote code execution via crafted SDP requests, directly mapping to exploitation of a remotely accessible service (T1190/T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22408Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2025-22412Same product: Google Android
CVE-2025-0074Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2024-40649Same product: Google Android
CVE-2025-22410Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2024-40669Same product: Google Android

Affected Assets

google
android
15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in the Android Bluetooth stack by requiring timely patching as provided in the vendor security bulletin.

prevent

Implements memory protection safeguards like ASLR and DEP to prevent arbitrary code execution resulting from the use-after-free condition.

prevent

Authorizes, monitors, and controls wireless access to restrict unauthenticated Bluetooth SDP service search requests that trigger the vulnerability.

References