Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.
AnalysisAI
BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby Bluetooth Classic attackers with a paired connection to trigger information disclosure and potential denial of service. The vulnerability requires an attacker within Bluetooth range to establish a paired connection and send specially crafted VENDOR_DEPENDENT responses, resulting in reads beyond packet boundaries. No public exploit code or active exploitation has been identified; vendor-released patch v1.8.1 is available.
Technical ContextAI
BlueKitchen BTstack is a Bluetooth stack implementation used in embedded systems and IoT devices. The vulnerability resides in the Audio/Video Remote Control Profile (AVRCP) Controller subsystem, specifically in message handlers for player application settings. The root cause is an out-of-bounds read (CWE-125) triggered when processing VENDOR_DEPENDENT response packets from paired Bluetooth Classic devices. The affected AVRCP handlers fail to properly validate packet length before accessing buffer contents, allowing an attacker to read memory regions beyond the allocated packet boundary. This affects all versions of BTstack prior to 1.8.1, as identified by the CPE cpe:2.3:a:bluekitchen_gmbh:btstack:*:*:*:*:*:*:*:* with unrestricted version matching.
RemediationAI
Vendor-released patch: BlueKitchen BTstack v1.8.1 and later. Upgrade to the latest version from the official GitHub releases page at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. Organizations unable to upgrade immediately should restrict Bluetooth Classic connections to trusted, known paired devices and monitor system logs for unexpected crashes or Bluetooth connection anomalies. Since the vulnerability requires an established pairing and proximity, limiting the number of paired devices and physically controlling access to pairing opportunities provides temporary risk reduction.
BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEP
Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17087
GHSA-x9fm-645r-6855