The November Android Security Bulletin published information about the CVE-2025-48593 vulnerability in the Bluetooth subsystem, which affects Android versions from 13 to 16. The vulnerability has been assigned a critical severity level (9.8 out of 10) as it can lead to remote code execution when processing specially designed Bluetooth packets.
Google has not yet disclosed a detailed description of the vulnerability, but independent researchers claim that the problem does not affect regular smartphones and only affects Bluetooth devices that can act as a loudspeaker, such as smart speakers, smart watches and car infotainment systems. Exploitation requires the user to pair their device with the attacker’s device, i.e. To block the problem with a workaround, it is enough not to accept dubious pairing requests.
The fix comes down to adding a call to check the existence of the Discovery Database when working with the Handsfree Bluetooth profile and stopping the search for peers using the SDP (Service Discovery Protocol), as well as resetting and clearing the p_disc_db structure (“discovery database”). Certain manipulations to return errors and resume connections in the process of determining a Bluetooth service and coordinating the interaction of the server with the client lead to access to an already freed memory area (use-after-free).
The fix is already moved to the LineageOS codebase Available An early prototype of an exploit that causes a crash when running Android in a special emulator. Attempts to sell a working exploit have also been spotted on the Internet, but, apparently, these are attempts to distribute malware or sell dummies by scammers.
In addition to this vulnerability, the November Android update contains a fix for the vulnerability CVE-2025-48581 This issue affects Android 16 only and is marked as dangerous.
The cause of the vulnerability is logical error in the VerifyNoOverlapInSessions function from the apexd.cpp file, which allows you to block the installation of patch updates security problems. It is noted that the vulnerability can be used for local privilege escalation. The attack does not require user action.