CVE-2025-22408
Published: 26 August 2025
Summary
CVE-2025-22408 is a critical-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the use-after-free vulnerability by requiring timely remediation through patching, as provided in the Android Security Bulletin.
Implements memory protection mechanisms such as non-executable memory and address space randomization to prevent exploitation of use-after-free errors.
Restricts and authorizes wireless access, including Bluetooth, to limit remote attack surface for unauthenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF flaw in exposed Bluetooth stack directly enables unauthenticated remote exploitation for RCE (T1190/T1210).
NVD Description
In rfc_check_send_cmd of rfc_utils.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Deeper analysisAI
CVE-2025-22408 is a use-after-free vulnerability in the rfc_check_send_cmd function within rfc_utils.cc, part of the Android platform's Bluetooth module (packages/modules/Bluetooth). This flaw enables remote code execution without requiring additional privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-416 (Use After Free). It affects Android devices with the vulnerable Bluetooth implementation.
A remote attacker can exploit this vulnerability over the network without user interaction or privileges, potentially achieving arbitrary code execution on the target device. The attack requires low complexity, making it highly feasible for unauthenticated adversaries in proximity via Bluetooth connections.
Google has addressed the issue in the Android Open Source Project with a specific patch commit (806774b1cf641e0c0e7df8024e327febf23d7d7c), detailed in the Android Security Bulletin for March 2025. Security practitioners should ensure devices are updated to versions incorporating this fix to mitigate remote code execution risks.
Details
- CWE(s)