Detection Guidance

This vulnerability involves an out-of-bounds read in the Bluetooth AVRCP vendor-command parser within the ESP-IDF Bluetooth stack. Detection would require monitoring Bluetooth AVRCP vendor commands for malformed or zero-length payloads that could trigger the out-of-bounds read.

Since the vulnerability is triggered by malformed AVRCP vendor commands with zero-length payloads, detection could involve capturing Bluetooth traffic and inspecting AVRCP vendor commands for such anomalies.

However, no specific detection commands or tools are provided in the available resources.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-46532 is a heap out-of-bounds read vulnerability in the BlueDroid AVRCP vendor-command parser within the ESP-IDF Bluetooth stack. The flaw exists in the function avrc_pars_vendor_cmd(), where two specific PDU handlers (AVRC_PDU_GET_CAPABILITIES and AVRC_PDU_LIST_PLAYER_APP_VALUES) access the first byte of the payload without verifying if the payload length is sufficient.

If a malformed AVRCP vendor command with a zero-length payload is received, the parser reads one byte beyond the end of the message buffer. This out-of-bounds byte is then checked against validity predicates and included in an error response sent back to the peer, which can be exploited as a limited oracle to infer adjacent heap memory contents.

While this vulnerability does not directly disclose arbitrary memory contents or allow code execution, an authenticated attacker within Bluetooth range with a paired device can exploit it to infer some heap memory data or cause a denial-of-service (DoS) in rare cases.

The issue affects all Espressif chip families supporting BR/EDR with BlueDroid Classic Bluetooth and AVRCP target support enabled and has been patched in newer versions by adding proper payload length validation before accessing the data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker within Bluetooth radio range and with a paired device to infer some heap memory contents adjacent to the AVRCP receive buffer. This could potentially leak limited information about the device's memory state.

Additionally, in rare cases, exploiting this vulnerability could cause a denial-of-service (DoS) condition due to the out-of-bounds memory access, potentially disrupting Bluetooth functionality.

However, the vulnerability does not allow arbitrary code execution or direct disclosure of arbitrary memory contents, and it requires low privileges but an adjacent attack vector.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the ESP-IDF framework to a patched version where the vulnerability is fixed.

• Upgrade to ESP-IDF versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, or 6.0.1 or later, where the issue has been patched.
• Ensure that the Bluetooth AVRCP target support is enabled only if necessary, as the vulnerability affects devices with BlueDroid Classic Bluetooth and AVRCP target support enabled.
• If upgrading immediately is not possible, consider restricting Bluetooth BR/EDR connections or pairing to trusted devices only, since exploitation requires an authenticated paired device within Bluetooth radio range.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0