Skip to main content

Btstack EUVDEUVD-2026-17087

| CVE-2026-28527 LOW
Out-of-bounds Read (CWE-125)
2026-03-30 VulnCheck GHSA-x9fm-645r-6855
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 LOW
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 14:15 euvd
EUVD-2026-17087
Analysis Generated
Mar 30, 2026 - 14:15 vuln.today
Patch released
Mar 30, 2026 - 14:15 nvd
Patch available
CVE Published
Mar 30, 2026 - 14:07 nvd
LOW 2.1

DescriptionCVE.org

BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.

AnalysisAI

BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby Bluetooth Classic attackers with a paired connection to trigger information disclosure and potential denial of service. The vulnerability requires an attacker within Bluetooth range to establish a paired connection and send specially crafted VENDOR_DEPENDENT responses, resulting in reads beyond packet boundaries. No public exploit code or active exploitation has been identified; vendor-released patch v1.8.1 is available.

Technical ContextAI

BlueKitchen BTstack is a Bluetooth stack implementation used in embedded systems and IoT devices. The vulnerability resides in the Audio/Video Remote Control Profile (AVRCP) Controller subsystem, specifically in message handlers for player application settings. The root cause is an out-of-bounds read (CWE-125) triggered when processing VENDOR_DEPENDENT response packets from paired Bluetooth Classic devices. The affected AVRCP handlers fail to properly validate packet length before accessing buffer contents, allowing an attacker to read memory regions beyond the allocated packet boundary. This affects all versions of BTstack prior to 1.8.1, as identified by the CPE cpe:2.3:a:bluekitchen_gmbh:btstack:*:*:*:*:*:*:*:* with unrestricted version matching.

RemediationAI

Vendor-released patch: BlueKitchen BTstack v1.8.1 and later. Upgrade to the latest version from the official GitHub releases page at https://github.com/bluekitchen/btstack/releases/tag/v1.8.1. Organizations unable to upgrade immediately should restrict Bluetooth Classic connections to trusted, known paired devices and monitor system logs for unexpected crashes or Bluetooth connection anomalies. Since the vulnerability requires an established pairing and proximity, limiting the number of paired devices and physically controlling access to pairing opportunities provides temporary risk reduction.

Share

EUVD-2026-17087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy