CVE-2024-43763 - Denial of Service in Android's Bluetooth GATT Server (gatt_sr.cc) Explained

The Android Bluetooth stack is a critical component allowing devices to talk to each other wirelessly. However, when things go wrong, your phone can become vulnerable—even with no action on your part. Recently, security researchers uncovered a logic error in the Android Bluetooth GATT server code (gatt_sr.cc). This mistake can let nearby attackers remotely crash or freeze your Bluetooth features with no need for the user to take any action. Here's what CVE-2024-43763 is all about, why it matters, and how it works.

What is CVE-2024-43763?

CVE-2024-43763 is a vulnerability found in the build_read_multi_rsp function of gatt_sr.cc—part of the Bluetooth stack in Android. If someone sends specially-crafted messages over Bluetooth near your device, they can trigger this bug, causing your device’s Bluetooth service to become unresponsive or crash. All this can happen:

Diving into The Code

The error lives in the function responsible for handling “read multiple” requests to Bluetooth characteristics. A characteristic is like a single piece of data or sensor on a Bluetooth device. In Bluetooth Low Energy (BLE), a client can ask for multiple pieces of data at once, and the server (in this case, your phone) builds a response with all the requested values.

But the vulnerable function fails to handle certain edge cases, leading to potential DoS if someone sends bad requests.

Simplified C++ code snippet

void build_read_multi_rsp(uint8_t* p_rsp, const std::vector<GATT_Handle>& handles) {
    for (const auto& handle : handles) {
        // [BUG] Fails to check if handle is valid or response buffer has enough space
        memcpy(p_rsp, get_value(handle), get_length(handle));
        p_rsp += get_length(handle);
    }
    // Function might write past end of response buffer, causing memory corruption and crash
}

It does not check if copying the value will overrun the response buffer.

- If an attacker sends many invalid handles in the request, or requests huge values, it can cause corruption, crash, or freezing of the Bluetooth process.

Nearby Attacker: Someone with a laptop, phone or custom Bluetooth device gets near you.

2. Sends Malicious Read Multiple Request: They craft a bad “read multiple” request—asking for multiple invalid or large characteristic handles.
3. Target Device Receives Request: The vulnerable function processes the request without proper checking.
4. Crash or Freeze Ensues: The Bluetooth service crashes or becomes unresponsive—breaking any Bluetooth connections. This can keep happening as long as the attacker stays nearby and keeps sending the request.

Exploit Example

Here's a Python snippet using Bleak showing how such an attack could be initiated (for research purposes only):

from bleak import BleakClient

# Replace with target device address
ADDRESS = "XX:XX:XX:XX:XX:XX"
# List of invalid/large handles
HANDLE_LIST = [xFFFF, xFFFE, xF001, xF002]

async def exploit():
    async with BleakClient(ADDRESS) as client:
        # You'd need to use a lower-level library to craft read multiple responses,
        # as Bleak doesn't provide raw message injection!
        # This is for illustration only
        await client.read_gatt_char(HANDLE_LIST)

# Real exploits use custom crafted packets—see links below for tools and PoC code

Continuous attacks can keep device disrupted

- Not limited to Android phones—could affect head units, tablets, or wearables using the same code

Mitigation and Patching

If you’re a user:
- Update Android as soon as security updates become available (patch includes a fix for this logic error)

Turn off Bluetooth in crowded or unfamiliar areas if worried

If you’re an Android developer:

Validate every handle before reading data

Patch details:
See Android Security Bulletin—June 2024 for patch specifics.

References and Further Reading

- Official Android Security Bulletin — June 2024
- Bluetooth SIG GATT documentation
- AOSP gatt_sr.cc Source
- How Bluetooth “Read Multiple” Works (Adafruit Blog)

Summary Table

| | Description |
|-----------------|------------------------------------------------------|
| CVE | CVE-2024-43763 |
| Component | Bluetooth / gatt_sr.cc (Android) |
| Impact | Remote (proximity) Denial of Service (Bluetooth down)|
| Privileges | None (No user interaction required) |
| Remediation | Security update (see June 2024 Android Bulletin) |

Conclusion

CVE-2024-43763 is a textbook example of how a single logic error in a complex software stack can have real-world disruptive consequences—even without any user help. If you use Bluetooth, keep your device updated. If you work with low-level networking code, always validate your inputs and check buffer boundaries!

Have more questions? Feel free to ask in the comments below.

*(This writeup is exclusive to you. Please use responsibly.)*

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 03/17/2025 17:15:29 UTC