CVE-2017-13260

HIGH

Android 5.1.1-8.1 - Out-of-bounds Read in bnep_data_ind

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-13260. PoCs published by QuarksLab.

AI-analyzed exploit summary This exploit triggers an out-of-bounds read in the BNEP (Bluetooth Network Encapsulation Protocol) implementation by sending a malformed BNEP packet. It targets a vulnerability in the BNEP control packet processing, specifically by omitting the 'len' field, leading to an OOB read.

Description

In bnep_data_ind of bnep_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-69177251.

Exploits (2)

exploitdb WORKING POC

by QuarksLab · pythondosandroid

https://www.exploit-db.com/exploits/44327

View Code ZIP pw:eip

This exploit triggers an out-of-bounds read in the BNEP (Bluetooth Network Encapsulation Protocol) implementation by sending a malformed BNEP packet. It targets a vulnerability in the BNEP control packet processing, specifically by omitting the 'len' field, leading to an OOB read.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Linux Bluetooth stack (BlueZ) with BNEP support

No auth needed

Prerequisites: Bluetooth adapter with L2CAP support · Root privileges · Physical proximity or prior pairing with the target device

MITRE ATT&CK

T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by QuarksLab · pythondosandroid

https://www.exploit-db.com/exploits/44326

View Code ZIP pw:eip

This exploit targets a Bluetooth BNEP heap information leak vulnerability (CVE-2017-13262) in Android's Bluetooth stack. It sends malformed BNEP packets to leak heap bytes from com.android.bluetooth by triggering a command-not-understood response.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Android Bluetooth stack (com.android.bluetooth)

No auth needed

Prerequisites: Bluetooth enabled on target · Attacker within Bluetooth range · Root privileges on attacker device

MITRE ATT&CK

T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44327/

Vendor Advisory x_refsource_confirm

https://source.android.com/security/bulletin/2018-03-01

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44326/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103253

Scores

CVSS v3 7.5

EPSS 0.0758

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-125

Status published

Products (8)

google/android 5.1.1

google/android 6.0

google/android 6.0.1

google/android 7.0

google/android 7.1.1

google/android 7.1.2

google/android 8.0

google/android 8.1

Published Apr 04, 2018

Tracked Since Feb 18, 2026