Remote Code Execution in Android bta_hf_client_cb_init Use-After-Free
CVE-2025-48593 is a critical vulnerability in the Android System component, specifically in bta_hf_client_cb_init in bta_hf_client_main.cc. The provided content states the flaw is a use-after-free condition that can result in remote code execution. Separate supporting content also characterizes the issue as involving insufficient validation of user input. Successful exploitation does not require additional execution privileges or user interaction. The issue is reported to affect Android 13, 14, 15, and 16, and is fixed in the 2025-11-01 Android security patch level.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository is a proof-of-concept (PoC) exploit for CVE-2025-48593, a vulnerability in the Android Bluetooth stack affecting devices that can act as Bluetooth headsets/speakers (e.g., smartwatches, smart glasses, cars). The PoC consists of a Python script ('blueshrimp.py') that uses the Bumble Bluetooth stack to emulate a Bluetooth Audio Gateway and interact with a target device over Bluetooth. The script manipulates SDP (Service Discovery Protocol) and RFCOMM channels to attempt to trigger the vulnerable code path, resulting in a crash (null dereference or invalid memory write) in the target's Bluetooth stack, as evidenced by included crash logs. The exploit does not achieve code execution or privilege escalation; it only demonstrates a denial-of-service condition. The repository also includes a Frida script ('dumpbt.js') for dynamic analysis and debugging of the Bluetooth stack on an Android emulator, and a configuration file ('device.json') for the Bumble stack. The README provides detailed context, limitations, and crash results, emphasizing that the exploit is not effective on real devices and only works on specially configured emulators. The overall structure is typical for a research PoC, with clear separation between exploit code, analysis tools, and documentation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical remote code execution (RCE) vulnerability in Android’s System component that can be exploited remotely with no user interaction, impacting Android 13 through 16.
A critical Android System component vulnerability caused by insufficient input validation that can lead to remote code execution without additional privileges or user interaction.
A critical Android System component vulnerability caused by insufficient validation of user input that could allow remote code execution (RCE) without additional privileges and without user interaction, affecting Android 13–16.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.