Skip to main content

Btstack CVE-2026-28528

| EUVDEUVD-2026-17089 LOW
Out-of-bounds Read (CWE-125)
2026-03-30 VulnCheck GHSA-g6wp-9j53-v66x
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 LOW
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 14:15 euvd
EUVD-2026-17089
Analysis Generated
Mar 30, 2026 - 14:15 vuln.today
Patch released
Mar 30, 2026 - 14:15 nvd
Patch available
CVE Published
Mar 30, 2026 - 14:08 nvd
LOW 2.1

DescriptionCVE.org

BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

AnalysisAI

Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic attackers to cause denial of service and corrupt attribute bitmap state through insufficient bounds validation on the attr_id parameter. Attack requires proximity (Bluetooth range) and an established pairing relationship. CVSS score of 2.1 reflects limited impact (no confidentiality loss, minor integrity and availability degradation) despite low attack complexity; no active exploitation reported at time of analysis.

Technical ContextAI

BlueKitchen BTstack is an open-source Bluetooth Classic and Bluetooth Low Energy stack implementation. The vulnerability resides in the Audio Video Remote Control Profile (AVRCP) Browsing Target subsystem, specifically the GET_FOLDER_ITEMS handler. AVRCP is a Bluetooth profile that enables remote control and browsing of media content on paired devices. The root cause is CWE-125 (Out-of-Bounds Read), where the handler fails to validate packet boundaries and the attribute count field before reading the attr_id parameter from inbound AVRCP packets. This allows an attacker to read memory beyond the intended bounds, potentially corrupting the internal state of attribute bitmap structures used to track which media attributes are valid. The vulnerability is triggered during Bluetooth Classic AVRCP transactions after device pairing has established authentication.

RemediationAI

Vendor-released patch available: BlueKitchen BTstack version 1.8.1 and later. Update BTstack to the patched release from the official GitHub repository at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. For downstream product consumers (device manufacturers, firmware vendors), verify that embedded BTstack components are updated to v1.8.1 or later. Interim mitigation for systems that cannot be patched immediately includes restricting Bluetooth pairing to trusted devices only and disabling AVRCP Browsing Target functionality if not required for device operation. Full technical details and advisory information are available at https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-browsing-target-get-folder-items-handler-oob-read-undefined-behavior.

Share

CVE-2026-28528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy