2025 Security Bulletin
The Airoha Product Security Bulletin contains details of security vulnerabilities affecting Airoha chipsets. Device OEMs have been notified of all the issues and the corresponding security patches before publication.
The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).
Acknowledgements
| CVEs | Researchers |
|---|---|
| CVE-2025-20700,CVE-2025-20701,CVE-2025-20702 | The vulnerabilities were identified by Dennis Heinze and Frieder Steinmetz, security researchers of ERNW Enno Rey Netzwerke GmbH, and reported by Julian Suleder of ERNW's vulnerability disclosure team. |
Details
| CVE | CVE-2025-20700 |
|---|---|
| Title | Missing GATT authentication for RACE services with critical data |
| Severity | High |
| Vulnerability Type | EoP |
| CWE | CWE-306 Missing Authentication for Critical Function |
| Description | In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| Affected Chipsets | AB156x, AB157x, AB158x, AB159x series and AB1627 |
| Affected Software Versions | Airoha IoT SDK for BT audio v5.5.0 and earlier Airoha AB1561x/AB1562x/AB1563x SDK v3.3.1 and earlier |
| Report Source | External |
| CVE | CVE-2025-20701 |
|---|---|
| Title | Allow authentication for Bluetooth BR/EDR in non-pairing mode |
| Severity | High |
| Vulnerability Type | EoP |
| CWE | CWE-863 Incorrect Authorization |
| Description | In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| Affected Chipsets | AB156x, AB157x, AB158x, AB159x series |
| Affected Software Versions | Airoha IoT SDK for BT audio v5.5.0 and earlier Airoha AB1561x/AB1562x/AB1563x SDK v3.3.1 and earlier |
| Report Source | External |
| CVE | CVE-2025-20702 |
|---|---|
| Title | Critical capabilities of the RACE protocol |
| Severity | Critical |
| Vulnerability Type | EoP |
| CWE | CWE-306 Missing Authentication for Critical Function |
| Description | In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| Affected Chipsets | AB156x, AB157x, AB158x, AB159x series and AB1627 |
| Affected Software Versions | Airoha IoT SDK for BT audio v5.5.0 and earlier Airoha AB1561x/AB1562x/AB1563x SDK v3.3.1 and earlier |
| Report Source | External |