Critical Android 14 Flaw: Bluetooth Vulnerability Uncovered

The team behind GrapheneOS, which is dedicated to developing a secure iteration of the Android Open Source Project (AOSP), identified a flaw within the Bluetooth stack of Android 14 that could lead to remote code execution.

This vulnerability, known as Use-After-Free (UAF), manifests during the transmission of audio over Bluetooth LE. The deficiency was discovered utilizing the hardened_malloc function, which incorporates additional protective measures through ARMv8.5 MTE (Memory Tagging Extension), enabling the monitoring and prevention of improper use of pointers associated with freed memory blocks, buffer overflow, and similar issues.

The vulnerability emerged following the upgrade to Android 14 QPR2 in early March, affecting all smartphones without the MTE feature activated, although GrapheneOS had already implemented this function to bolster security. The flaw caused malfunctions when using Samsung Galaxy Buds2 Pro Bluetooth headphones, provided the MTE protection was enabled in the firmware.

This vulnerability was rectified in the latest GrapheneOS update 2024030900 and only affects builds where MTE protection is not deployed (available exclusively for Google Pixel 8 and Pixel 8 Pro). On Pixel 8 devices with the latest Android 14 QPR2 update, the issue could be reproduced, but it was preventable by activating MTE in the developer settings, leading to a memory consumption increase of approximately 3% without impacting performance.