CVE-2026-28527

Name of the Vulnerable Software and Affected Versions BlueKitchen BTstack versions prior to 1.8.1

Description The software contains an out-of-bounds read issue within the AVRCP Controller GET PLAYER APPLICATION SETTING ATTRIBUTE TEXT and GET PLAYER APPLICATION SETTING VALUE TEXT handlers. An attacker can establish a paired Bluetooth Classic connection and send specifically crafted VENDOR DEPENDENT responses to trigger the issue. This can lead to information disclosure and potential device crashes. The issue allows reading beyond packet boundaries.

Recommendations Update to version 1.8.1 or later.