Cyber Resilience

CVE-2025-22408

Critical

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0198 84.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22408 is a critical-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22408 is a use-after-free vulnerability in the function rfc_check_send_cmd within rfc_utils.cc of the Android Bluetooth module. The flaw resides in the Bluetooth stack shipped as part of AOSP packages/modules/Bluetooth and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible arbitrary code execution without privileges or user interaction.

An unauthenticated remote attacker can send crafted RFCOMM commands over Bluetooth to trigger the use-after-free condition, resulting in remote code execution on the target device. No additional execution privileges or user interaction are required for successful exploitation.

The Android Security Bulletin for March 2025 and the corresponding AOSP commit 806774b1cf641e0c0e7df8024e327febf23d7d7c address the issue through updated Bluetooth code; devices are protected by applying the March 2025 Android security patch level or later. The associated EPSS score remains low and flat at 0.0198 with no material increase after disclosure.

EU & UK References

Vulnerability details

In rfc_check_send_cmd of rfc_utils.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

UAF flaw in exposed Bluetooth stack directly enables unauthenticated remote exploitation for RCE (T1190/T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22403Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2025-22412Same product: Google Android
CVE-2025-0074Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2024-40649Same product: Google Android
CVE-2025-22410Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2024-40669Same product: Google Android

Affected Assets

google
android
15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the use-after-free vulnerability by requiring timely remediation through patching, as provided in the Android Security Bulletin.

prevent

Implements memory protection mechanisms such as non-executable memory and address space randomization to prevent exploitation of use-after-free errors.

prevent

Restricts and authorizes wireless access, including Bluetooth, to limit remote attack surface for unauthenticated exploitation.

References