EUVD-2025-18883

| CVE-2025-5478 HIGH
2025-06-21 [email protected]
RCE Xav Ax8500 Firmware
8.8
CVSS 3.0
Share

CVSS VectorNVD

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18883
Patch Released
Mar 15, 2026 - 21:35 nvd
Patch available
CVE Published
Jun 21, 2025 - 01:15 nvd
HIGH 8.8

DescriptionNVD

Sony XAV-AX8500 Bluetooth SDP Protocol Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sony XAV-AX8500 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the Bluetooth SDP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26288.

AnalysisAI

CVE-2025-5478 is a critical integer overflow vulnerability in the Bluetooth SDP (Service Discovery Protocol) implementation of Sony XAV-AX8500 in-vehicle infotainment systems that allows unauthenticated, network-adjacent attackers to execute arbitrary code with root privileges. The vulnerability stems from insufficient input validation in buffer allocation logic, enabling remote code execution without user interaction. Given the automotive infotainment context and lack of authentication requirements, this represents a significant risk to connected vehicle security, particularly for vehicles with Bluetooth connectivity within network proximity.

Technical ContextAI

The vulnerability exists in the Bluetooth SDP protocol stack implementation (CWE-190: Integer Overflow or Wraparound) on Sony XAV-AX8500 devices. Bluetooth SDP is the service discovery mechanism that allows devices to advertise and discover available services over Bluetooth connections. The flaw occurs when user-supplied data from SDP requests is processed without proper validation before being used in integer arithmetic operations for buffer size calculations. An integer overflow in this context causes the calculated buffer size to wrap around to a small value, resulting in a classic heap buffer overflow when the attacker-controlled data is written into the undersized buffer. The attack requires network-adjacent access (Bluetooth range), making it exploitable from any device within ~100 meters of the vehicle. The root cause is the failure to validate or sanitize SDP protocol messages that could contain malicious length fields or attribute data.

RemediationAI

Immediate actions: (1) Contact Sony directly for firmware update availability and timeline (expected avenue: Sony automotive support or OEM vehicle manufacturer); (2) Until patch is available, disable Bluetooth functionality if operationally feasible, or reduce Bluetooth discovery/pairing timeout windows to minimize exposure; (3) Park vehicles in secure, enclosed locations away from public areas to reduce network-adjacent attack proximity; (4) Monitor Sony and affected vehicle manufacturer advisory pages for coordinated disclosure and patch releases. Specific remediation steps pending: Sony must release a firmware update that includes proper input validation in the Bluetooth SDP message handler, specifically implementing bounds checking before integer arithmetic in buffer allocation routines and validating all SDP attribute lengths against protocol-defined maximums. Patch should be tested and deployed through OEM vehicle software update systems. No workaround fully eliminates risk without disabling Bluetooth entirely.

Share

EUVD-2025-18883 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy