Inside Android Bluetooth: Three Critical CVEs and Their Exploits

Background

Bluetooth protocols are far more complex than other communication protocols such as Wi‑Fi or traditional TCP/IP, with the core specification (5.3) reaching 3,085 pages. This complexity makes security testing and auditing of Bluetooth implementations difficult, leading to many vulnerabilities, while also raising the technical barrier for researchers and attackers.

The Bluetooth protocol stack is divided into Host and Controller. The Host contains the full protocol stack above the link layer, including L2CAP and various application‑layer protocols, and is the focus of this article.

Android’s Bluetooth stack has been a frequent target for security research. Notable past issues include the BlueBorne attack chain (2017) and the BlueFrag vulnerability (2020) that allowed remote code execution without user interaction.

OPPO Amber Lab has contributed multiple vulnerability reports to Google’s Android security team. This article details three Android Bluetooth protocol module vulnerabilities discovered by the team: CVE‑2020‑27024 (SMP), CVE‑2021‑0918 (GATT), and CVE‑2021‑39805 (L2CAP).

CVE‑2020‑27024 (SMP)

1. SMP Protocol Overview

SMP (Security Manager Protocol) defines pairing and key distribution, then uses the derived keys to encrypt link‑layer traffic. The protocol proceeds through four steps: Feature Exchange, Key Generation, Key Distribution, and Link Encryption.

2. Vulnerability Analysis

CVE‑2020‑27024 is an out‑of‑bounds array read in the SMP implementation. The function smp_br_state_machine_event() assigns entry_table = smp_br_entry_table[p_cb->role] without validating p_cb->role. An attacker who forces p_cb->role to a value greater than 2 causes an OOB read.

CVE‑2021‑0918 (GATT)

1. GATT Protocol Overview

GATT (Generic Attribute Profile) defines a hierarchical data structure where services contain characteristics, which in turn contain properties, values, and descriptors. It operates over the ATT (Attribute Protocol) layer.

2. Vulnerability Analysis

CVE‑2021‑0918 is an OOB read/write in the GATT stack when handling Notification messages. The function gatt_process_notification() parses the value.len field without proper bounds checking, allowing a crafted packet to cause an OOB read/write when value.len exceeds the actual data length but is less than GATT_MAX_ATTR_LEN (600).

CVE‑2021‑39805 (L2CAP)

1. L2CAP Protocol Overview

L2CAP (Logical Link Control and Adaptation Protocol) provides channel‑based data services to higher layers, supporting both connection‑oriented and connection‑less communication. Each channel endpoint is identified by a CID.

2. Vulnerability Analysis

CVE‑2021‑39805 is an array OOB read in the L2CAP LE signalling command handler l2cble_process_sig_cmd(). The function fails to verify packet length before reading the result field, enabling crafted packets to trigger an OOB read and leak memory.

Summary

Android’s Bluetooth stack has evolved from BlueZ to BlueDroid (Fluoride) and is moving toward a Rust‑based implementation called Gabeldorsh. The current C/C++ stack’s heavy memory manipulation leads to numerous severe RCE bugs, while Rust’s safety guarantees should shift future research toward logical flaws, increasing the expertise required for vulnerability discovery.