CVE-2026-28527
Published: 30 March 2026
Summary
CVE-2026-28527 is a low-severity Out-of-bounds Read (CWE-125) vulnerability in Bluekitchen-Gmbh Btstack. Its CVSS base score is 2.1 (Low).
Operationally, ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-28527, published on 2026-03-30, is an out-of-bounds read vulnerability (CWE-125) in BlueKitchen BTstack versions prior to 1.8.1. The flaw affects the AVRCP Controller handlers for GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT, which can read beyond packet boundaries when processing malformed input.
Nearby attackers within Bluetooth range can exploit this vulnerability after establishing a paired Bluetooth Classic connection by sending specially crafted VENDOR_DEPENDENT responses. Successful exploitation triggers out-of-bounds reads, resulting in information disclosure and potential crashes on affected devices. The CVSS v3.1 base score of 3.5 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) reflects its low severity, requiring user interaction and adjacent network access with no privileges.
The BlueKitchen BTstack release v1.8.1 on GitHub addresses this issue. Further technical details are available in the VulnCheck advisory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17087
Vulnerability details
BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted…
more
VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds read by requiring timely remediation through patching BlueKitchen BTstack to version 1.8.1 or later.
Requires validation of incoming Bluetooth AVRCP VENDOR_DEPENDENT responses to prevent processing malformed packets that trigger out-of-bounds reads.
Implements memory protection mechanisms like bounds checking to block out-of-bounds reads in BTstack handlers even if inputs are malformed.