Analysis of Android Bluetooth Protocol Stack Vulnerabilities (CVE-2020-27024, CVE-2021-0918, CVE-2021-39805)

1. Background

Bluetooth protocols are considerably more complex than other communication protocols such as Wi‑Fi (802.11) or traditional TCP/IP. The Bluetooth Core Specification 5.3 spans 3085 pages, making security testing and auditing of individual protocol implementations difficult and resulting in many security flaws. The complexity also raises the technical barrier for researchers and attackers.

The Bluetooth stack is divided into Host and Controller layers. The Host contains the full protocol stack above the link layer (including L2CAP and various application‑level protocols) and is the focus of this analysis.

Android’s Bluetooth stack has been a frequent target for security research. Notable past vulnerabilities include the BlueBorne attack chain (2017) and the BlueFrag vulnerability (2020). The Amber Terminal Security Lab has reported several Android Bluetooth stack bugs, which are detailed below.

2. CVE‑2020‑27024 (SMP protocol)

2.1 SMP protocol overview

The Security Manager Protocol (SMP) handles pairing and key distribution, encrypting link‑layer traffic. Its workflow consists of four steps: feature exchange, key generation, key distribution, and link encryption.

2.2 Vulnerability analysis

CVE‑2020‑27024 is an out‑of‑bounds read caused by improper validation of the role index when accessing the global smp_br_entry_table array in smp_br_state_machine_event() . An attacker can craft a packet that forces p_cb->role to exceed the array size (2), leading to OOB memory read.

Relevant code snippets are shown in the following images:

3. CVE‑2021‑0918 (GATT protocol)

3.1 GATT protocol overview

GATT (Generic Attribute Profile) defines a hierarchical data model (services → characteristics → descriptors) used by BLE devices. It operates over the ATT (Attribute Protocol) which carries request/response, command, notification, indication, and confirmation PDUs.

Table 1 lists the most common ATT PDU types.

3.2 Vulnerability analysis

CVE‑2021‑0918 is an OOB read/write in the handling of Notification PDUs. The function gatt_process_notification() trusts the value.len field without checking it against GATT_MAX_ATTR_LEN (600). An attacker can craft a Notification with an inflated length, causing STREAM_TO_ARRAY(value.value, p, value.len) to read or write beyond the buffer.

Key code excerpts are illustrated below:

4. CVE‑2021‑39805 (L2CAP protocol)

4.1 L2CAP protocol overview

L2CAP (Logical Link Control and Adaptation Protocol) provides channel‑based data services for higher‑layer protocols. It uses Channel Identifiers (CIDs) such as 0x0001 for ACL‑U and 0x0005 for LE‑U. Signaling commands are exchanged over a dedicated signaling channel.

4.2 Vulnerability analysis

CVE‑2021‑39805 is an out‑of‑bounds read in the function l2cble_process_sig_cmd() when handling the Credit‑Based Reconfiguration Response (L2CAP_CMD_CREDIT_BASED_RECONFIG_RES, 0x1A). The code reads the result field with STREAM_TO_UINT16 without verifying that the packet contains enough data, leading to OOB read and potential information leakage.

Relevant code fragments are shown:

5. Summary and Outlook

The Android Bluetooth stack has evolved from BlueZ to BlueDroid and now to Fluoride, with the next‑generation Rust‑based stack (Gabeldorsh) under development. While Rust can mitigate memory‑corruption bugs, future research will likely focus on logical flaws, race conditions, and design defects.

References:

Bluetooth Core Specification 5.3, Android Security Bulletins (2020‑12, 2021‑11, 2022‑04).

Follow the “Kernel Craftsman” WeChat account for more Linux kernel and security articles.