Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.
AnalysisAI
Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic attackers to cause denial of service and corrupt attribute bitmap state through insufficient bounds validation on the attr_id parameter. Attack requires proximity (Bluetooth range) and an established pairing relationship. CVSS score of 2.1 reflects limited impact (no confidentiality loss, minor integrity and availability degradation) despite low attack complexity; no active exploitation reported at time of analysis.
Technical ContextAI
BlueKitchen BTstack is an open-source Bluetooth Classic and Bluetooth Low Energy stack implementation. The vulnerability resides in the Audio Video Remote Control Profile (AVRCP) Browsing Target subsystem, specifically the GET_FOLDER_ITEMS handler. AVRCP is a Bluetooth profile that enables remote control and browsing of media content on paired devices. The root cause is CWE-125 (Out-of-Bounds Read), where the handler fails to validate packet boundaries and the attribute count field before reading the attr_id parameter from inbound AVRCP packets. This allows an attacker to read memory beyond the intended bounds, potentially corrupting the internal state of attribute bitmap structures used to track which media attributes are valid. The vulnerability is triggered during Bluetooth Classic AVRCP transactions after device pairing has established authentication.
RemediationAI
Vendor-released patch available: BlueKitchen BTstack version 1.8.1 and later. Update BTstack to the patched release from the official GitHub repository at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. For downstream product consumers (device manufacturers, firmware vendors), verify that embedded BTstack components are updated to v1.8.1 or later. Interim mitigation for systems that cannot be patched immediately includes restricting Bluetooth pairing to trusted devices only and disabling AVRCP Browsing Target functionality if not required for device operation. Full technical details and advisory information are available at https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-browsing-target-get-folder-items-handler-oob-read-undefined-behavior.
BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTR
BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEP
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17089
GHSA-g6wp-9j53-v66x