CVE-2025-48593

Name of the Vulnerable Software and Affected Versions Android versions 13 through 16

Description A critical zero-click remote code execution issue exists in the Android Bluetooth stack, specifically within the

bta hf client cb init

function of

bta hf client main.cc

. This flaw is due to a use-after-free condition. Exploitation does not require user interaction; an attacker can trigger the issue by sending specially crafted network packets or malicious applications. Successful exploitation could grant an attacker full access to the device, potentially leading to data theft and the installation of ransomware. The vulnerability primarily affects devices acting as Bluetooth headphones, smartwatches, smart glasses, and cars. While some reports indicate a potential for remote takeover, proof-of-concept demonstrations suggest the issue primarily causes service crashes on devices functioning as Bluetooth accessories. The vulnerability is assigned a critical severity level of 9.8 out of 10.

Recommendations Update to the security patch level 2025-11-01 or newer. If possible, temporarily disable the Bluetooth Hands-Free Profile (HFP) to reduce the risk of exploitation. Avoid connecting to untrusted networks. Enable Google Play Protect for enhanced security.