Description
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.
Published: 2026-03-30
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via crash
Action: Apply Patch
AI Analysis

Impact

The flaw enables a nearby attacker with a paired Bluetooth Classic connection to send a crafted VENDOR_DEPENDENT response that contains an attacker‑controlled count. In the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers this triggers an out‑of‑bounds read from the L2CAP receive buffer, potentially exposing data beyond the intended buffer and causing a crash on resource‑constrained devices, effectively denying service.

Affected Systems

All releases of BlueKitchen GmbH BTstack prior to version 1.8.1 are affected. Devices or embedded products that embed BTstack 1.8.0 or earlier and maintain a Bluetooth Classic pairing with another device are vulnerable.

Risk and Exploitability

The CVSS score of 2.1 combined with an EPSS value below 1 % indicates low severity and a very small likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires physical proximity and an existing Bluetooth Classic pairing, limiting the threat surface. While the crash could interrupt device operation, widespread impact is unlikely without a more active payload.

Generated by OpenCVE AI on April 3, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BTstack to version 1.8.1 or later
  • Verify the firmware version on all embedded devices using BTstack
  • Restrict Bluetooth Classic pairing to trusted devices only
  • Monitor logs for unexpected AVRCP LIST_PLAYER_APPLICATION_SETTING commands

Generated by OpenCVE AI on April 3, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Bluekitchen-gmbh
Bluekitchen-gmbh btstack
CPEs cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*
Vendors & Products Bluekitchen-gmbh
Bluekitchen-gmbh btstack

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bluekitchen
Bluekitchen btstack
Vendors & Products Bluekitchen
Bluekitchen btstack

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices. BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.
Title BlueKitchen BTstack < 1.8.1 AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_* Handlers OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Bluekitchen Btstack
Bluekitchen-gmbh Btstack
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:39:26.443Z

Reserved: 2026-02-27T21:07:55.468Z

Link: CVE-2026-28526

cve-icon Vulnrichment

Updated: 2026-03-30T14:39:23.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T14:16:34.750

Modified: 2026-04-03T15:58:18.837

Link: CVE-2026-28526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:54Z

Weaknesses