BlueKitchen BTstack < 1.8.1 AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_* Handlers OOB Read

Description

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

Affected Products

Vendor	Product	Versions
bluekitchen	btstack	0

References

https://github.com/bluekitchen/btstack/releases/tag/v1.8.1(release-notes, patch)
https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read(third-party-advisory)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-28526 | BlueKitchen BTstack up to 1.8.0 AVRCP Controller Count out-of-bounds

→ No new info (linked only)

CVSS 3.13.5 NONE

CISA KEV❌ No

Actively exploited❌ No

Patch available1.8.1

CWECWE-125

Published3/30/2026

Last enriched4h agov2

Trending Score20

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 1.8.0, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseveritypatchAvailable

via VulDB

v14h ago

Initial creation

BlueKitchen BTstack < 1.8.1 AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_* Handlers OOB Read

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History