Cyber Posture

CVE-2025-22411

High

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22411 is a high-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through vendor patches directly fixes the use-after-free logic error in the Bluetooth stack's SDP discovery process, preventing exploitation.

SI-16 Memory Protection good match
prevent

Memory protection safeguards such as address space layout randomization and data execution prevention thwart code execution from the use-after-free vulnerability in sdp_discovery.cc.

CM-7 Least Functionality good match
prevent

Least functionality restricts or prohibits unnecessary Bluetooth SDP discovery services, eliminating exposure to adjacent network attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Use-after-free in Bluetooth SDP discovery enables unauthenticated adjacent-network RCE without user interaction, directly mapping to exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In process_service_attr_rsp of sdp_discovery.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2025-22411 is a use-after-free vulnerability stemming from a logic error in the process_service_attr_rsp function of sdp_discovery.cc, part of the Android Bluetooth stack in platform/packages/modules/Bluetooth. This issue affects Android devices with vulnerable versions of the Bluetooth module and was published on 2025-08-26, carrying a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-416.

An unauthenticated attacker on an adjacent network can exploit this vulnerability remotely without user interaction or additional privileges. Exploitation triggers a use-after-free condition during SDP discovery, potentially leading to proximal/adjacent code execution with high impacts on confidentiality, integrity, and availability.

Mitigation details are outlined in the Android Security Bulletin for March 2025 at https://source.android.com/security/bulletin/2025-03-01. A fix is applied via commit 806774b1cf641e0c0e7df8024e327febf23d7d7c in the Android source repository at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c.

Details

CWE(s)
CWE-416

Affected Products

google
android
15.0

CVEs Like This One

CVE-2025-0075Same product: Google Android
CVE-2025-22412Same product: Google Android
CVE-2025-22403Same product: Google Android
CVE-2025-22408Same product: Google Android
CVE-2025-0084Same product: Google Android
CVE-2025-0074Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2025-22409Same product: Google Android
CVE-2024-40669Same product: Google Android

References