CVE-2026-28528
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability in BTstack prior to version 1.8.1 allows an out-of-bounds read in the AVRCP Browsing Target GET_FOLDER_ITEMS handler due to missing packet boundary and attribute count validation. A paired Bluetooth Classic attacker can trigger crashes and corrupt attribute bitmap state.
Risk Assessment
An attacker can cause device crashes or data corruption, leading to disruption of Bluetooth services and potential system integrity compromise.
Recommendation
Immediately update BTstack to version 1.8.1 or later, which includes fixes for packet boundary and attribute count validation.
Original NVD description (English source)
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler that fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state.

