Platform
other
Component
btstack
Fixed in
1.8.1
CVE-2026-28528 describes an out-of-bounds read vulnerability discovered in BTstack, a Bluetooth software stack. This flaw allows a malicious, paired Bluetooth Classic connection to potentially crash the system or corrupt its attribute bitmap state. The vulnerability affects versions 0.0 through 1.8.1 of BTstack, and a patch is available in version 1.8.1.
An attacker exploiting this vulnerability could leverage a paired Bluetooth Classic connection to send crafted packets to the BTstack AVRCP Browsing Target GETFOLDERITEMS handler. The handler fails to properly validate packet boundaries and attribute count data, leading to an out-of-bounds read. This can result in a denial-of-service (DoS) attack by crashing the affected system. Furthermore, the attacker could potentially corrupt the attribute bitmap state, leading to unpredictable behavior or even allowing for unauthorized access to Bluetooth functionality. While the vulnerability requires a paired connection, the potential for system crashes and attribute corruption represents a significant security risk.
CVE-2026-28528 was publicly disclosed on 2026-03-30. There is currently no known public proof-of-concept (PoC) code available. The EPSS score is pending evaluation. The vulnerability is not currently listed on the CISA KEV catalog. Given the requirement for a paired Bluetooth connection, the probability of widespread exploitation is considered relatively low, but the potential impact of a successful attack warrants attention.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28528 is to upgrade to BTstack version 1.8.1 or later, which contains the fix for the out-of-bounds read vulnerability. If an immediate upgrade is not feasible, consider implementing Bluetooth connection restrictions to limit pairing with untrusted devices. While a direct WAF or proxy rule is unlikely to be effective, monitoring Bluetooth connection attempts and traffic patterns for anomalies could provide an early warning sign of potential exploitation. After upgrading, confirm the fix by attempting to trigger the AVRCP GETFOLDERITEMS handler with malformed packets and verifying that the system does not crash or exhibit unexpected behavior.
Update the BTstack library to version 1.8.1 or later. This version contains the fix for the out-of-bounds read vulnerability in the AVRCP Browsing Target GET_FOLDER_ITEMS handler.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28528 is a medium-severity vulnerability in BTstack versions 0.0–1.8.1 that allows a paired Bluetooth attacker to trigger crashes or corrupt attribute bitmap state through an out-of-bounds read.
If you are using BTstack versions 0.0 through 1.8.1, you are potentially affected by this vulnerability. Upgrade to version 1.8.1 or later to mitigate the risk.
The recommended fix is to upgrade to BTstack version 1.8.1 or a later version that includes the security patch. If an upgrade is not immediately possible, restrict Bluetooth pairing with untrusted devices.
As of now, there is no confirmed evidence of active exploitation of CVE-2026-28528, but the potential for exploitation exists.
Refer to the BTstack project's official website and security advisories for the latest information and updates regarding CVE-2026-28528.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.