Plattform
other
Komponente
btstack
Behoben in
1.8.1
CVE-2026-28528 describes an out-of-bounds read vulnerability discovered in BTstack, a Bluetooth software stack. This flaw allows a malicious, paired Bluetooth Classic connection to potentially crash the system or corrupt its attribute bitmap state. The vulnerability affects versions 0.0 through 1.8.1 of BTstack, and a patch is available in version 1.8.1.
The impact of CVE-2026-28528 is primarily denial-of-service (DoS). An attacker with a paired Bluetooth Classic connection can trigger a crash in the BTstack implementation by sending a crafted AVRCP GETFOLDERITEMS request with a malicious attr_id parameter. While data exfiltration is unlikely, the crash can disrupt Bluetooth functionality and potentially lead to system instability. The blast radius is limited to devices utilizing the vulnerable BTstack version and within Bluetooth range of the attacker. This vulnerability highlights the importance of secure Bluetooth implementations.
CVE-2026-28528 was published on 2026-03-30. Exploitation context is currently unknown, and no public proof-of-concept (POC) exploits have been identified. The CVSS score of 4.6 (MEDIUM) indicates a lower probability of exploitation, but the potential for DoS remains a concern. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Devices and systems utilizing BTstack versions 0.0 through 1.8.1 are at risk, particularly those deployed in environments where Bluetooth pairing with untrusted devices is common. This includes embedded systems, IoT devices, and mobile devices that rely on BTstack for Bluetooth connectivity.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28528 is to upgrade BTstack to version 1.8.1 or later. Until the upgrade is possible, restrict Bluetooth pairing to trusted devices. Implement input validation and sanitization on all incoming AVRCP requests. Monitor system logs for crash reports related to AVRCP browsing. After upgrading, confirm the fix by attempting to trigger the vulnerability with a crafted AVRCP GETFOLDERITEMS request and verifying that the request is properly handled without causing a crash.
Actualice la biblioteca BTstack a la versión 1.8.1 o posterior. Esta versión contiene la corrección para la vulnerabilidad de lectura fuera de límites en el controlador AVRCP Browsing Target GET_FOLDER_ITEMS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28528 is a medium-severity vulnerability in BTstack versions 0.0–1.8.1 that allows a paired Bluetooth attacker to trigger crashes or corrupt attribute bitmap state through an out-of-bounds read.
If you are using BTstack versions 0.0 through 1.8.1, you are potentially affected by this vulnerability. Upgrade to version 1.8.1 or later to mitigate the risk.
The recommended fix is to upgrade to BTstack version 1.8.1 or a later version that includes the security patch. If an upgrade is not immediately possible, restrict Bluetooth pairing with untrusted devices.
As of now, there is no confirmed evidence of active exploitation of CVE-2026-28528, but the potential for exploitation exists.
Refer to the BTstack project's official website and security advisories for the latest information and updates regarding CVE-2026-28528.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.