Skip to main content

Btstack CVE-2026-28526

| EUVDEUVD-2026-17085 LOW
Out-of-bounds Read (CWE-125)
2026-03-30 VulnCheck
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 LOW
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 14:15 euvd
EUVD-2026-17085
Analysis Generated
Mar 30, 2026 - 14:15 vuln.today
Patch released
Mar 30, 2026 - 14:15 nvd
Patch available
CVE Published
Mar 30, 2026 - 14:06 nvd
LOW 2.1

DescriptionCVE.org

BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

AnalysisAI

BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEPENDENT responses, allowing nearby Bluetooth Classic attackers with a paired connection to trigger an out-of-bounds read that may crash resource-constrained devices. The vulnerability affects all versions prior to v1.8.1, has a CVSS score of 2.1 (very low severity) due to limited availability impact and requirement for paired connection plus user interaction, and no public exploit code or active exploitation has been identified.

Technical ContextAI

BlueKitchen BTstack is a Bluetooth Classic and Bluetooth Low Energy protocol stack implementation. The vulnerability resides in the AVRCP (Audio/Video Remote Control Profile) Controller message handlers for LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES commands. These handlers fail to validate an attacker-controlled count value before using it to read from the L2CAP (Logical Link Control and Adaptation Protocol) receive buffer, resulting in a classic out-of-bounds read condition (CWE-125: Out-of-bounds Read). The root cause is insufficient input validation of count parameters in VENDOR_DEPENDENT response parsing. The affected CPE is cpe:2.3:a:bluekitchen_gmbh:btstack:*:*:*:*:*:*:*:*, indicating all versions of the BTstack library are affected unless patched.

RemediationAI

Vendor-released patch: BTstack v1.8.1 or later. Update to the patched version immediately if your application uses the AVRCP Controller handlers. For embedded or IoT deployments where rapid patching is difficult, temporarily disable AVRCP Controller functionality if not required for your use case, or restrict Bluetooth pairing to trusted devices only. Verify the patch by checking the release notes at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. No workarounds exist that eliminate the vulnerability while maintaining full AVRCP Controller functionality.

Share

CVE-2026-28526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy