CVE-2026-28526

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-28526
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

3.5 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/bluekitchen/btstack/releases/tag/v1.8.1 Release Notes
https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*
History

03 Apr 2026, 15:58

Type Values Removed Values Added
References () https://github.com/bluekitchen/btstack/releases/tag/v1.8.1 - () https://github.com/bluekitchen/btstack/releases/tag/v1.8.1 - Release Notes
References () https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read - () https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read - Third Party Advisory
First Time Bluekitchen-gmbh
Bluekitchen-gmbh btstack
CPE cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*

01 Apr 2026, 14:24

Type Values Removed Values Added
Summary
  • (es) Las versiones de BlueKitchen BTstack anteriores a la 1.8.1 contienen una vulnerabilidad de lectura fuera de límites en los manejadores LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES y LIST_PLAYER_APPLICATION_SETTING_VALUES del controlador AVRCP que permite a los atacantes leer más allá de los límites del búfer. Un atacante cercano con una conexión Bluetooth Classic emparejada puede enviar una respuesta VENDOR_DEPENDENT especialmente diseñada con un valor de conteo controlado por el atacante para activar una lectura fuera de límites desde el búfer de recepción L2CAP, lo que podría causar un fallo en dispositivos con recursos limitados.

30 Mar 2026, 15:16

Type Values Removed Values Added
Summary (en) BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices. (en) BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

30 Mar 2026, 14:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-30 14:16

Updated : 2026-04-03 15:58

NVD link : CVE-2026-28526

Mitre link : CVE-2026-28526

CVE.ORG link : CVE-2026-28526

JSON object : View

Products Affected

bluekitchen-gmbh

  • btstack
CWE
CWE-125

Out-of-bounds Read