Description
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.
Published: 2026-03-30
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

BlueKitchen BTstack versions before 1.8.1 contain an out‑of‑bounds read bug in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers. When a nearby attacker establishes a paired Bluetooth Classic connection and sends specially crafted VENDOR_DEPENDENT responses, the stack reads memory beyond the packet boundaries. This can expose sensitive data to the attacker and may also lead to a crash of the affected application, classifying the weakness as CWE‑125 – Out‑of‑Bounds Read.

Affected Systems

The product is BlueKitchen GmbH’s BTstack. All releases earlier than version 1.8.1 are vulnerable; upgrading to BTstack 1.8.1 or later removes the flaw.

Risk and Exploitability

The CVSS base score of 2.1 indicates a low overall severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a Bluetooth Classic connection in close proximity and a successful pairing with the target device, so the attack vector is local over Bluetooth. While the risk of exploitation is low, any unpatched device in range could leak information or crash when interacting with a malicious remote controller.

Generated by OpenCVE AI on March 30, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to BTstack 1.8.1 or later to eliminate the out‑of‑bounds read flaw.
  • Verify that the device firmware or software has been updated to the patched version.

Generated by OpenCVE AI on March 30, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices. BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.
Title BlueKitchen BTstack < 1.8.1 AVRCP Controller GET_PLAYER_APPLICATION_SETTING_*_TEXT Handlers OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:13:09.755Z

Reserved: 2026-02-27T21:07:55.468Z

Link: CVE-2026-28527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T14:16:35.003

Modified: 2026-03-30T15:16:25.463

Link: CVE-2026-28527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:41Z

Weaknesses