CVE-2026-28526
Out-of-Bounds Read in BlueKitchen BTstack AVRCP Controller
Publication date: 2026-03-30
Last updated on: 2026-04-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bluekitchen-gmbh | btstack | to 1.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28526 is an out-of-bounds read vulnerability in BlueKitchen BTstack's AVRCP Controller, specifically in the LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers.
An attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response containing an attacker-controlled count value. This causes the system to read beyond the boundaries of the L2CAP receive buffer.
This out-of-bounds read can potentially cause a crash, especially on devices with limited resources.
How can this vulnerability impact me? :
The primary impact of this vulnerability is the potential for a crash on resource-constrained devices due to the out-of-bounds read.
An attacker must be nearby and have a paired Bluetooth Classic connection to exploit this vulnerability, and user interaction is required.
While the severity is low, exploitation could lead to denial of service by causing the affected device to crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds read triggered by a specially crafted VENDOR_DEPENDENT response over a paired Bluetooth Classic connection targeting the AVRCP Controller handlers. Detection would require monitoring Bluetooth Classic traffic for unusual or malformed VENDOR_DEPENDENT responses, especially those containing suspicious count values.
Since the vulnerability is specific to BlueKitchen BTstack versions prior to 1.8.1 and involves the AVRCP Controller's LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers, detection can focus on identifying devices running vulnerable BTstack versions and analyzing Bluetooth L2CAP packets.
- Use Bluetooth protocol analyzers (e.g., Wireshark) to capture and inspect L2CAP traffic for VENDOR_DEPENDENT responses with abnormal count values.
- Check the version of BlueKitchen BTstack on your devices to identify if they are prior to 1.8.1.
- On Linux systems, use commands like `btmon` to monitor Bluetooth traffic in real-time.
- Use `hcitool con` to list active Bluetooth connections and identify paired devices that could potentially exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update BlueKitchen BTstack to version 1.8.1 or later, where this out-of-bounds read vulnerability has been addressed.
Since the attack requires a paired Bluetooth Classic connection and user interaction, limiting or controlling Bluetooth pairing and connections can reduce exposure.
- Apply the latest patches or updates from BlueKitchen to ensure the AVRCP Controller handlers are not vulnerable.
- Restrict Bluetooth Classic pairing to trusted devices only.
- Disable Bluetooth Classic or AVRCP profiles if they are not needed on the device.
- Monitor Bluetooth connections for suspicious activity and disconnect unknown or untrusted devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.