PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28526 BlueKitchen GmbH CVE debrief

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers. This vulnerability allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices. The CVE record was published on 2026-03-30T14:16:34.750Z and has not been modified since then. The NVD entry is currently Analyzed.

Vendor
BlueKitchen GmbH
Product
BTstack
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-30
Original CVE updated
2026-07-14
Advisory published
2026-03-30
Advisory updated
2026-07-14

Who should care

Users of BlueKitchen BTstack versions prior to 1.8.1 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 1.8.1 or later, and being cautious of nearby attackers with paired Bluetooth Classic connections. Affected operators, platforms, and security teams should review the official CVE record and NVD entry for further information.

Technical summary

The vulnerability is caused by an out-of-bounds read in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers. This can be triggered by a nearby attacker with a paired Bluetooth Classic connection sending a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value. The vulnerability allows attackers to read beyond buffer boundaries, potentially causing a crash on resource-constrained devices. The affected product is BlueKitchen BTstack versions prior to 1.8.1.

Defensive priority

Low

Recommended defensive actions

  • Update BlueKitchen BTstack to version 1.8.1 or later
  • Be cautious of nearby attackers with paired Bluetooth Classic connections
  • Monitor for suspicious activity on Bluetooth Classic connections
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-03-30T14:16:34.750Z and was last modified on 2026-07-14T19:16:54.187Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect the full scope of the vulnerability. Defenders should verify the affected scope and severity with the official CVE record and NVD entry. The CVE-2026-28526 record indicates that BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-30T14:16:34.750Z and has not been modified since then. The NVD entry is currently Analyzed.