CVE-2026-28527 | BlueKitchen BTstack up to 1.8.0 AVRCP Controller out-of-bounds

VDB-354192 · CVE-2026-28527 · EUVD-2026-17087 BLUEKITCHEN BTSTACK UP TO 1.8.0 AVRCP CONTROLLER OUT-OF-BOUNDS HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.4 $0-$5k 3.29+ Summaryinfo A vulnerability was found in BlueKitchen BTstack up to 1.8.0. It has been declared as problematic. This vulnerability affects the function GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT/GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT of the component AVRCP Controller. The manipulation results in out-of-bounds. This vulnerability is reported as CVE-2026-28527. The attacker must have access to the local network to execute the attack. No exploit exists. It is recommended to upgrade the affected component. Detailsinfo A vulnerability was found in BlueKitchen BTstack up to 1.8.0. It has been classified as problematic. Affected is the function GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT/GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT of the component AVRCP Controller. The manipulation with an unknown input leads to a out-of-bounds vulnerability. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. This is going to have an impact on availability. CVE summarizes: BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish a paired Bluetooth Classic connection and send specially crafted VENDOR_DEPENDENT responses to trigger out-of-bounds reads, causing information disclosure and potential crashes on affected devices. The weakness was disclosed by Kazuma Matsumoto. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-28527 since 02/27/2026. The exploitability is told to be easy. Access to the local network is required for this attack to succeed. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. Upgrading to version 1.8.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-17087). Productinfo Vendor BlueKitchen Name BTstack Version 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8.0 Website Product: https://github.com/bluekitchen/btstack/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 3.5 VulDB Meta Temp Score: 3.4 VulDB Base Score: 3.5 VulDB Temp Score: 3.4 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 3.5 CNA Vector (VulnCheck): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Out-of-bounds CWE: CWE-125 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Partially Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: BTstack 1.8.1 Timelineinfo 02/27/2026 CVE reserved 03/30/2026 +30 days Advisory disclosed 03/30/2026 +0 days VulDB entry created 03/30/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Researcher: Kazuma Matsumoto Status: Confirmed CVE: CVE-2026-28527 (🔒) GCVE (CVE): GCVE-0-2026-28527 GCVE (VulDB): GCVE-100-354192 EUVD: 🔒 Entryinfo Created: 03/30/2026 16:39 Updated: 03/30/2026 18:37 Changes: 03/30/2026 16:39 (79), 03/30/2026 18:37 (1) Complete: 🔍 Cache ID: 99:8A2:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸