If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The news was recently announced by the developers of the GrapheneOS project, about a vvulnerability detected in Android 14 in the Bluetooth LE stack, the error is due to a memory corruption introduced in Android 14 QPR2.
For those who do not know about GrapheneOS, you should know that this is a project that develops a secure version of the AOSP code base, and they were the ones who detected the vulnerability in the Bluetooth stack of Android 14 which they mention can be exploited and allows it to lead to remote code execution.
Regarding vulnerability, GrapheneOS developers mention that this originates from access to a previously freed memory area, which is known as “use-after-free.” The problem lies in the code responsible for processing audio transmitted through Bluetooth LE.
Our hardware memory tagging support for Pixel 8 and Pixel 8 Pro has discovered a memory corruption bug introduced in Android 14 QPR2 for Bluetooth LE. We are currently investigating to determine how to fix or temporarily disable the newly introduced feature as a workaround.
Identification of this vulnerability is due in part to the implementation of additional protections using the hardened_malloc function, which uses the ARMv8.5 MTE extension. This extension allows you to assign labels to each memory allocation operation and perform checks to ensure the correct use of pointers, thus avoiding the exploitation of vulnerabilities related to access to freed memory, buffer overflows, calls to functions before their initialization and use outside the current context.
This error started appearing after updating to Android 14 QPR2 (quarterly platform version), launched in early March. In the core Android 14 code release, MTE functionality is available as an option but is not yet enabled by default.
However, on GrapheneOS, MTE protection has been activated to provide an additional layer of security, which allowed the bug to be identified after the update to Android 14 QPR2. This bug caused crashes when using Samsung Galaxy Buds2 Pro Bluetooth headphones with firmware that enabled MTE-based protection. The subsequent analysis of the incident revealed that the problem was related to freed memory access in the Bluetooth LE driver, and was not caused by the integration of the MTE functionality itself.
On the part of the possible solutions to the vulnerability, GrapheneOS developers They mention that disabling memory tagging for this process is not a solution acceptable alternative even in the short term because it is a significant attack surface, regardless of whether this particular bug is exploitable or not. This only occurs with certain Bluetooth LE devices, not all Bluetooth devices.
The mentioned vulnerability has been solved in la GrapheneOS version 2024030900. Importantly, this vulnerability affects smartphone versions that do not have additional hardware protection based on the MTE extension. Currently, the MTE extension is enabled only for Pixel 8 and Pixel 8 Pro devices.
We developed a patch for the Android 2 QPR14 use-after-release bug we discovered with Bluetooth LE. Our priority is to release a version of GrapheneOS with our fix soon and we will report it as an Android security bug. This should also resolve BLE audio regressions.
The vulnerability has been observed in Google Pixel 8 smartphones with firmware based on Android 14 QPR2. For Pixel 8 series devices, it is possible to enable MTE mode in the developer settings. This can be done by going to “Settings/System/Developer Options/Memory Labeling Extensions”. It is important to note that enabling MTE results in an increase in memory consumption of approximately 3%, but does not affect device performance.
Finally yes you are interested in being able to know more about it, you can check the details in the following link.