CVE-2026-28528
Out-of-Bounds Read in BlueKitchen BTstack AVRCP Causes Crashes
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bluekitchen-gmbh | btstack | to 1.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28528 is an out-of-bounds read vulnerability in BlueKitchen BTstack's AVRCP Browsing Target GET_FOLDER_ITEMS handler. The issue occurs because the software does not properly validate packet boundaries and attribute count data, specifically failing to check the attr_id parameter correctly.
An attacker who has a paired Bluetooth Classic connection can exploit this flaw to cause crashes and corrupt the attribute bitmap state, potentially leading to undefined or unexpected behavior in the affected system.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker with a paired Bluetooth Classic connection to cause crashes and corrupt internal attribute data. This can lead to instability or denial of service in the affected device or application.
The impact affects the integrity and availability of the system, meaning that data could be corrupted and the system could become unavailable or unreliable during exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds read in the AVRCP Browsing Target GET_FOLDER_ITEMS handler of BlueKitchen BTstack, exploitable via a paired Bluetooth Classic connection. Detection would require monitoring Bluetooth Classic connections and specifically inspecting AVRCP GET_FOLDER_ITEMS requests for malformed attr_id parameters that exceed expected bounds.
No specific detection commands or tools are provided in the available resources. However, network or system administrators could consider using Bluetooth protocol analyzers or packet capture tools to monitor AVRCP traffic and look for irregularities in GET_FOLDER_ITEMS requests.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update BlueKitchen BTstack to version 1.8.1 or later, where this out-of-bounds read vulnerability has been addressed.
Additionally, limiting or disabling Bluetooth Classic connections where possible, especially from untrusted devices, can reduce the risk of exploitation.
Monitoring paired devices and restricting user interaction with unknown Bluetooth devices can also help mitigate potential attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.