PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28528 Bluekitchen Gmbh CVE debrief

CVE-2026-28528 is an out-of-bounds read vulnerability in BlueKitchen BTstack versions prior to 1.8.1. The vulnerability exists in the AVRCP Browsing Target GET_FOLDER_ITEMS handler, which fails to validate packet boundaries and attribute count data. An attacker with a paired Bluetooth Classic connection can exploit insufficient bounds checking on the attr_id parameter to cause crashes and corrupt attribute bitmap state. Organizations using BlueKitchen BTstack versions prior to 1.8.1 should be aware of this vulnerability and take steps to mitigate it. This vulnerability could potentially be used to cause crashes and corrupt attribute bitmap state, leading to denial of service or other issues. The affected operator, platform, vulnerability-management, and security-team impact should be reviewed.

Vendor
Bluekitchen Gmbh
Product
Btstack
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-30
Original CVE updated
2026-07-14
Advisory published
2026-03-30
Advisory updated
2026-07-14

Who should care

Organizations using BlueKitchen BTstack versions prior to 1.8.1 should be aware of this vulnerability and take steps to mitigate it. This vulnerability could potentially be used to cause crashes and corrupt attribute bitmap state, leading to denial of service or other issues. The affected operator, platform, vulnerability-management, and security-team impact should be reviewed.

Technical summary

The vulnerability exists in the AVRCP Browsing Target GET_FOLDER_ITEMS handler of BlueKitchen BTstack versions prior to 1.8.1. The handler fails to validate packet boundaries and attribute count data, allowing an attacker with a paired Bluetooth Classic connection to exploit insufficient bounds checking on the attr_id parameter. This can cause crashes and corrupt attribute bitmap state. The affected product deployments should be reviewed, and owners should be assigned for follow-up. The official advisory or CVE record should be reviewed to validate affected scope, severity, and vendor guidance.

Defensive priority

Medium

Recommended defensive actions

  • Inventory and verify affected BlueKitchen BTstack versions
  • Apply patch or upgrade to version 1.8.1 or later
  • Implement compensating controls, such as monitoring for suspicious Bluetooth activity
  • Consider disabling Bluetooth Classic connections if not necessary
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-03-30T14:16:35.203Z and was last modified on 2026-07-14T19:16:54.453Z. The NVD entry is currently Analyzed. The BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler. The vulnerability exists due to insufficient bounds checking on the attr_id parameter, which can cause crashes and corrupt attribute bitmap state. The source detail is limited, and defenders should verify the affected scope and severity with the vendor. The CVE record was last modified on 2026-07-14T19:16:54.453Z, and no additional information is available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-30T14:16:35.203Z and has not been modified since then. The NVD entry is currently Analyzed.