Description
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.
Published: 2026-03-30
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: Out-of-Bounds Read leading to potential crash on resource-constrained devices
Action: Patch Now
AI Analysis

Impact

BlueKitchen BTstack versions before 1.8.1 expose a buffer over-read in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers. A crafted VENDOR_DEPENDENT response containing an attacker‑controlled count value can cause the stack to read beyond the bounds of the L2CAP receive buffer, potentially triggering a crash on devices with limited resources.

Affected Systems

The vulnerability affects any deployment of BlueKitchen BTstack older than version 1.8.1. Systems that use the AVRCP Controller functionality and accept dynamically generated attribute lists are susceptible. This includes embedded Bluetooth Classic modules on consumer electronics, automotive infotainment systems, and IoT devices that incorporate the affected BTstack libraries.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the vulnerability is only exploitable by a nearby attacker who has an active paired Bluetooth Classic connection. While this does not compromise confidentiality or integrity, the out-of-bounds read may lead to a denial‑of‑service by crashing the device. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Nonetheless, because the attack requires local proximity and pairing, it represents a real risk for embedded or low‑resource devices where stability is critical.

Generated by OpenCVE AI on March 30, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest BTstack release (v1.8.1) or later
  • If unable to update immediately, disable AVRCP functionality or block VENDOR_DEPENDENT responses from untrusted sources
  • Ensure devices have proper pairing controls and limit exposure to nearby Bluetooth Classic connections

Generated by OpenCVE AI on March 30, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices. BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.
Title BlueKitchen BTstack < 1.8.1 AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_* Handlers OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:39:26.443Z

Reserved: 2026-02-27T21:07:55.468Z

Link: CVE-2026-28526

cve-icon Vulnrichment

Updated: 2026-03-30T14:39:23.352Z

cve-icon NVD

Status : Received

Published: 2026-03-30T14:16:34.750

Modified: 2026-03-30T15:16:25.300

Link: CVE-2026-28526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:42Z

Weaknesses