Cyber Posture

CVE-2025-22412

High

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22412 is a high-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and remediation of flaws like this use-after-free vulnerability via patching as specified in the Android Security Bulletin.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms such as ASLR, stack canaries, and DEP that prevent successful exploitation of use-after-free errors leading to remote code execution.

AC-18 Wireless Access partial match
prevent

Authorizes, monitors, and controls wireless access including Bluetooth to restrict proximal/adjacent attackers from triggering the SDP use-after-free vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Use-after-free in Bluetooth SDP server directly enables remote exploitation of a wireless service for code execution (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In multiple functions of sdp_server.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for…

more

exploitation.

Deeper analysisAI

CVE-2025-22412 is a use-after-free vulnerability stemming from a logic error in multiple functions of sdp_server.cc, part of the Android Bluetooth stack in platform/packages/modules/Bluetooth. Published on 2025-08-26, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416.

The vulnerability enables remote proximal or adjacent code execution without requiring additional privileges or user interaction. An unauthenticated attacker within Bluetooth range can trigger the use-after-free flaw during SDP (Service Discovery Protocol) interactions, potentially leading to arbitrary code execution on the affected device.

The Android Security Bulletin for March 2025 details the issue and recommends applying the available patch, accessible at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c, with further guidance at https://source.android.com/security/bulletin/2025-03-01.

Details

CWE(s)
CWE-416

Affected Products

google
android
15.0

CVEs Like This One

CVE-2025-0075Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2025-22403Same product: Google Android
CVE-2025-22408Same product: Google Android
CVE-2025-0084Same product: Google Android
CVE-2025-0074Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2025-22409Same product: Google Android
CVE-2024-40669Same product: Google Android

References