CVE-2026-28528 Overview
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability (CWE-125) in the AVRCP Browsing Target GET_FOLDER_ITEMS handler. The vulnerability stems from the handler's failure to validate packet boundaries and attribute count data. An attacker with an established paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to trigger memory corruption, causing application crashes and corrupting the attribute bitmap state.
Critical Impact
Successful exploitation allows an adjacent network attacker to cause denial of service through application crashes and potentially corrupt internal state of the Bluetooth stack, affecting device stability.
Affected Products
- BlueKitchen BTstack versions prior to 1.8.1
Discovery Timeline
- 2026-03-30 - CVE CVE-2026-28528 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-28528
Vulnerability Analysis
This out-of-bounds read vulnerability exists in the AVRCP (Audio/Video Remote Control Profile) Browsing Target implementation within BTstack. The GET_FOLDER_ITEMS handler processes incoming Bluetooth Classic AVRCP browsing commands but fails to properly validate the boundaries of incoming packets and the count of attributes specified in the request.
The AVRCP Browsing feature allows Bluetooth controllers to navigate media content on connected devices. When processing folder item requests, the handler reads attribute identifiers from the incoming packet without verifying that sufficient data exists within the packet buffer. This allows an attacker to craft malicious packets that cause the handler to read beyond allocated memory boundaries.
The attack requires an adjacent network position (Bluetooth range) and a paired connection with the target device, which adds a prerequisite barrier to exploitation. User interaction is required to establish the pairing, limiting opportunistic attacks.
Root Cause
The root cause is insufficient input validation in the AVRCP Browsing Target's GET_FOLDER_ITEMS handler. Specifically, the code fails to verify that the attr_id parameter and associated attribute count values fall within the bounds of the received packet data. This allows processing of untrusted attribute count values that may exceed the actual packet length, leading to out-of-bounds memory access operations.
Attack Vector
The attack vector requires adjacent network access via Bluetooth Classic connectivity. An attacker must first establish a paired Bluetooth connection with the vulnerable device, which typically requires user interaction for the initial pairing process. Once paired, the attacker can send malformed AVRCP browsing commands containing carefully crafted GET_FOLDER_ITEMS requests with invalid attribute counts or boundary values.
The malicious packet triggers the handler to read beyond the allocated packet buffer, potentially accessing adjacent memory regions. This can result in:
- Application crashes due to accessing unmapped memory
- Corruption of the attribute bitmap state
- Information disclosure if sensitive data exists in adjacent memory
The vulnerability is described in the VulnCheck Advisory on BTstack. Technical details regarding the fix can be found in the GitHub BTstack Release v1.8.1.
Detection Methods for CVE-2026-28528
Indicators of Compromise
- Unexpected crashes or restarts of applications using BTstack Bluetooth functionality
- Anomalous Bluetooth AVRCP browsing command traffic from paired devices
- Memory access violation errors in BTstack-related process logs
Detection Strategies
- Monitor Bluetooth stack logs for AVRCP browsing handler errors or crashes
- Implement Bluetooth traffic analysis to detect malformed GET_FOLDER_ITEMS requests with suspicious attribute counts
- Deploy endpoint detection solutions capable of identifying out-of-bounds read attempts in Bluetooth stack components
Monitoring Recommendations
- Enable verbose logging for BTstack components to capture AVRCP handler activity
- Monitor system stability metrics on devices using BTstack for Bluetooth functionality
- Implement alerting on repeated Bluetooth connection attempts from the same device followed by disconnections
How to Mitigate CVE-2026-28528
Immediate Actions Required
- Upgrade BlueKitchen BTstack to version 1.8.1 or later immediately
- Review and audit all devices in your environment that utilize BTstack for Bluetooth functionality
- Consider temporarily disabling AVRCP browsing functionality if patching is not immediately feasible
- Limit Bluetooth pairing to trusted devices only and remove unnecessary pairings
Patch Information
BlueKitchen has released BTstack version 1.8.1 which addresses this vulnerability by implementing proper boundary validation in the AVRCP Browsing Target GET_FOLDER_ITEMS handler. The patch ensures that attribute count values and packet boundaries are validated before processing.
The fix is available in the official GitHub BTstack Release v1.8.1. Organizations using embedded systems or IoT devices with BTstack should contact their device vendors for firmware updates incorporating this fix.
Workarounds
- Disable AVRCP browsing functionality in BTstack configuration if not required for your use case
- Implement network segmentation to limit Bluetooth exposure in sensitive environments
- Remove unused Bluetooth pairings and restrict new pairing operations to trusted devices
- Deploy host-based intrusion detection to monitor for abnormal Bluetooth stack behavior
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
