The developers of the project grapheneos, working on a secure branch derived from the Android Open Source Project (AOSP), have uncovered a vulnerability in the Bluetooth stack of the Android 14 platform that could potentially allow for remote code execution. The issue stems from a use-after-free memory error in the code responsible for processing audio transmitted via Bluetooth LE.
The vulnerability was identified through the implementation of additional security measures using the armv8.5 MTE (Memory Taging Extension) within the HardENED_MALLOC framework. This extension assigns tags to each memory allocation and enforces checks on the validity of pointer usage to prevent vulnerabilities like accessing already released memory blocks, buffer overflows, premature usage, and out-of-context operations.
The flaw became apparent after the Android 14 QPR2 update released in early March. While the MTE mechanism is present in the Android 14 platform as an optional feature not yet enabled by default, Grapheneos had activated it for added protection. This allowed them to pinpoint the error following the QPR2 update, which caused Samsung Galaxy Buds2 Pro Bluetooth devices with MTE-based firmware to crash unexpectedly. Subsequent analysis confirmed that the issue was due to a vulnerability and not a fault in the MTE integration.
The vulnerability has been addressed in the grapheneos 2024030900 release and affects devices without hardware protection based on MTE extension (currently active only on Pixel 8 and Pixel 8 Pro). The issue has been replicated on Google Pixel 8 smartphones running Android 14 QPR2. Users can enable the MTE mode on Pixel 8 devices by navigating to “Settings / System / Developer Options / Memory Taging Extensions.”