CVE-2025-48593

Name of the Vulnerable Software and Affected Versions Android versions 13 through 16

Description A critical remote code execution issue exists in the Bluetooth stack of the Android operating system. The flaw, located in the bta hf client cb init function of bta hf client main.cc, is due to a use-after-free condition. This allows an attacker to execute arbitrary code remotely without requiring any user interaction. The vulnerability can be triggered by sending specially crafted network packets or through malicious applications distributed outside of official app stores. Devices acting as Bluetooth headphones, smartwatches, smart glasses, and cars are particularly affected. The issue is considered critical, with a potential impact of full device takeover. The vulnerability does not affect phones or tablets.

Recommendations Update to a version with the November 2025 security patch (patch level 2025-11-01) or later. If possible, disable the Bluetooth Hands-Free Profile (HFP) to minimize the risk of exploitation.