CVE-2026-28528

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/bluekitchen/btstack/releases/tag/v1.8.1	Release Notes
https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-browsing-target-get-folder-items-handler-oob-read-undefined-behavior	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*

History

06 Apr 2026, 12:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:bluekitchen-gmbh:btstack::::::::
First Time		Bluekitchen-gmbh Bluekitchen-gmbh btstack
References	~~() https://github.com/bluekitchen/btstack/releases/tag/v1.8.1 -~~	() https://github.com/bluekitchen/btstack/releases/tag/v1.8.1 - Release Notes
References	~~() https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-browsing-target-get-folder-items-handler-oob-read-undefined-behavior -~~	() https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-browsing-target-get-folder-items-handler-oob-read-undefined-behavior - Third Party Advisory

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Las versiones de BlueKitchen BTstack anteriores a la 1.8.1 contienen una vulnerabilidad de lectura fuera de límites en el gestor GET_FOLDER_ITEMS del objetivo de navegación AVRCP que no valida los límites de los paquetes y los datos de recuento de atributos. Un atacante con una conexión Bluetooth Classic emparejada puede explotar la comprobación de límites insuficiente en el parámetro attr_id para causar fallos y corromper el estado del mapa de bits de atributos.

30 Mar 2026, 15:16

Type	Values Removed	Values Added
Summary	(en) BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.	(en) BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

30 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 14:16

Updated : 2026-04-06 12:42

NVD link : CVE-2026-28528

Mitre link : CVE-2026-28528

CVE.ORG link : CVE-2026-28528

JSON object : View

Products Affected

bluekitchen-gmbh

btstack

CWE

CWE-125

Out-of-bounds Read

CWE-758

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

4.6 /10