Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.
AnalysisAI
BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEPENDENT responses, allowing nearby Bluetooth Classic attackers with a paired connection to trigger an out-of-bounds read that may crash resource-constrained devices. The vulnerability affects all versions prior to v1.8.1, has a CVSS score of 2.1 (very low severity) due to limited availability impact and requirement for paired connection plus user interaction, and no public exploit code or active exploitation has been identified.
Technical ContextAI
BlueKitchen BTstack is a Bluetooth Classic and Bluetooth Low Energy protocol stack implementation. The vulnerability resides in the AVRCP (Audio/Video Remote Control Profile) Controller message handlers for LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES commands. These handlers fail to validate an attacker-controlled count value before using it to read from the L2CAP (Logical Link Control and Adaptation Protocol) receive buffer, resulting in a classic out-of-bounds read condition (CWE-125: Out-of-bounds Read). The root cause is insufficient input validation of count parameters in VENDOR_DEPENDENT response parsing. The affected CPE is cpe:2.3:a:bluekitchen_gmbh:btstack:*:*:*:*:*:*:*:*, indicating all versions of the BTstack library are affected unless patched.
RemediationAI
Vendor-released patch: BTstack v1.8.1 or later. Update to the patched version immediately if your application uses the AVRCP Controller handlers. For embedded or IoT deployments where rapid patching is difficult, temporarily disable AVRCP Controller functionality if not required for your use case, or restrict Bluetooth pairing to trusted devices only. Verify the patch by checking the release notes at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. No workarounds exist that eliminate the vulnerability while maintaining full AVRCP Controller functionality.
BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTR
Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17085