Description
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.
Published: 2026-03-30
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to out-of-bounds read and crash
Action: Patch
AI Analysis

Impact

An out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler allows a paired Bluetooth Classic attacker to supply an invalid attr_id value, resulting in a memory read outside the intended buffer and corrupting the attribute bitmap state. This can lead to application crashes or unstable operation, which constitutes a denial of service.

Affected Systems

Vendor BlueKitchen GmbH provides the BTstack firmware. Versions earlier than 1.8.1 are affected, including releases that have not yet incorporated the 1.8.1 fix. Devices or software relying on the older BTstack will be vulnerable.

Risk and Exploitability

With a CVSS score of 2.1 the vulnerability is considered low severity, and an EPSS score below 1% indicates very low likelihood of exploitation in the wild. It is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be within Bluetooth range and possess pairing credentials to establish a Bluetooth Classic connection with the target device. Because the attack vector relies on proximity and an existing pairing, the risk to unpaired devices is limited, but any device exposed to the public Bluetooth environment remains vulnerable to a local denial of service attack.

Generated by OpenCVE AI on April 6, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BlueKitchen BTstack to version 1.8.1 or later, which removes the bounds check error.

Generated by OpenCVE AI on April 6, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bluekitchen-gmbh
Bluekitchen-gmbh btstack
CPEs cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*
Vendors & Products Bluekitchen-gmbh
Bluekitchen-gmbh btstack

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bluekitchen
Bluekitchen btstack
Vendors & Products Bluekitchen
Bluekitchen btstack

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state. BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.
Title BlueKitchen BTstack < 1.8.1 AVRCP Browsing Target GET_FOLDER_ITEMS Handler OOB Read / Undefined Behavior
Weaknesses CWE-125
CWE-758
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Bluekitchen Btstack
Bluekitchen-gmbh Btstack
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T16:45:55.370Z

Reserved: 2026-02-27T21:07:55.468Z

Link: CVE-2026-28528

cve-icon Vulnrichment

Updated: 2026-03-30T16:44:54.115Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T14:16:35.203

Modified: 2026-04-06T12:42:11.190

Link: CVE-2026-28528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:39Z

Weaknesses