We have discovered a use-after-free memory corruption bug in Android 14 QPR2 for Bluetooth LE. This issue impacts the stock operating system as well. We have reported this to Google as a security bug today.
We have already made an initial, minimally invasive patch to fix this:
We have noted elsewhere that this code needs a major refactor and shouldn't be using raw pointers, but we want to avoid introducing new bugs with a quick patch.
The hardware memory tagging support for Pixel 8 and later has helped massively. On devices earlier than them it likely would manifest as BLE audio devices not working without an error message since it wouldn't crash. Our MTE implementation detects it which is what led to us being able to fix it so quickly.
The hardening GrapheneOS implements doesn't just help the users by making them safe from exploits, it helps developers by helping them to create more secure software by catching memory corruption bugs and uncovering them thanks to our features.
Pixels shipped a humongous hardware security feature by having memory tagging support but they do not use it for the OS to save around ~3.25% of memory usage. GrapheneOS enabled it by default for the OS and known user-installed apps compatible with it. As we have mentioned before, GrapheneOS is the first platform using MTE in production and Vanadium is the first web browser too.
Progress towards Android 14 QPR2 is coming along nicely and hopefully all (which are minimal) regressions will be fixed soon.