Executive Summary

CVE-2026-28526 is an out-of-bounds read vulnerability in BlueKitchen BTstack's AVRCP Controller, specifically in the LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers.

An attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response containing an attacker-controlled count value. This causes the system to read beyond the boundaries of the L2CAP receive buffer.

This out-of-bounds read can potentially cause a crash, especially on devices with limited resources.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is the potential for a crash on resource-constrained devices due to the out-of-bounds read.

An attacker must be nearby and have a paired Bluetooth Classic connection to exploit this vulnerability, and user interaction is required.

While the severity is low, exploitation could lead to denial of service by causing the affected device to crash.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an out-of-bounds read triggered by a specially crafted VENDOR_DEPENDENT response over a paired Bluetooth Classic connection targeting the AVRCP Controller handlers. Detection would require monitoring Bluetooth Classic traffic for unusual or malformed VENDOR_DEPENDENT responses, especially those containing suspicious count values.

Since the vulnerability is specific to BlueKitchen BTstack versions prior to 1.8.1 and involves the AVRCP Controller's LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers, detection can focus on identifying devices running vulnerable BTstack versions and analyzing Bluetooth L2CAP packets.

• Use Bluetooth protocol analyzers (e.g., Wireshark) to capture and inspect L2CAP traffic for VENDOR_DEPENDENT responses with abnormal count values.
• Check the version of BlueKitchen BTstack on your devices to identify if they are prior to 1.8.1.
• On Linux systems, use commands like `btmon` to monitor Bluetooth traffic in real-time.
• Use `hcitool con` to list active Bluetooth connections and identify paired devices that could potentially exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update BlueKitchen BTstack to version 1.8.1 or later, where this out-of-bounds read vulnerability has been addressed.

Since the attack requires a paired Bluetooth Classic connection and user interaction, limiting or controlling Bluetooth pairing and connections can reduce exposure.

• Apply the latest patches or updates from BlueKitchen to ensure the AVRCP Controller handlers are not vulnerable.
• Restrict Bluetooth Classic pairing to trusted devices only.
• Disable Bluetooth Classic or AVRCP profiles if they are not needed on the device.
• Monitor Bluetooth connections for suspicious activity and disconnect unknown or untrusted devices.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0