Cyber Resilience

CVE-2026-28527

LowPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.6th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28527 is a low-severity Out-of-bounds Read (CWE-125) vulnerability in Bluekitchen-Gmbh Btstack. Its CVSS base score is 2.1 (Low).

Operationally, ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-28527, published on 2026-03-30, is an out-of-bounds read vulnerability (CWE-125) in BlueKitchen BTstack versions prior to 1.8.1. The flaw affects the AVRCP Controller handlers for GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT, which can read beyond packet boundaries when processing malformed input.

Nearby attackers within Bluetooth range can exploit this vulnerability after establishing a paired Bluetooth Classic connection by sending specially crafted VENDOR_DEPENDENT responses. Successful exploitation triggers out-of-bounds reads, resulting in information disclosure and potential crashes on affected devices. The CVSS v3.1 base score of 3.5 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) reflects its low severity, requiring user interaction and adjacent network access with no privileges.

The BlueKitchen BTstack release v1.8.1 on GitHub addresses this issue. Further technical details are available in the VulnCheck advisory.

EU & UK References

Vulnerability details

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted…

more

VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55100Shared CWE-125
CVE-2026-41604Shared CWE-125
CVE-2026-2664Shared CWE-125
CVE-2025-20916Shared CWE-125
CVE-2026-31558Shared CWE-125
CVE-2026-30997Shared CWE-125
CVE-2026-35444Shared CWE-125
CVE-2026-31613Shared CWE-125
CVE-2026-20611Shared CWE-125
CVE-2026-23388Shared CWE-125

Affected Assets

bluekitchen-gmbh
btstack
≤ 1.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the out-of-bounds read by requiring timely remediation through patching BlueKitchen BTstack to version 1.8.1 or later.

prevent

Requires validation of incoming Bluetooth AVRCP VENDOR_DEPENDENT responses to prevent processing malformed packets that trigger out-of-bounds reads.

prevent

Implements memory protection mechanisms like bounds checking to block out-of-bounds reads in BTstack handlers even if inputs are malformed.

References