CVE Catalog

CVE-2026-28528

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile - higher than 3% of all known CVEs

Summary

A vulnerability in BTstack prior to version 1.8.1 allows an out-of-bounds read in the AVRCP Browsing Target GET_FOLDER_ITEMS handler due to missing packet boundary and attribute count validation. A paired Bluetooth Classic attacker can trigger crashes and corrupt attribute bitmap state.

Risk Assessment

An attacker can cause device crashes or data corruption, leading to disruption of Bluetooth services and potential system integrity compromise.

Recommendation

Immediately update BTstack to version 1.8.1 or later, which includes fixes for packet boundary and attribute count validation.

Original NVD description (English source)

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS