CVE-2026-28528

Name of the Vulnerable Software and Affected Versions BlueKitchen BTstack versions prior to 1.8.1

Description The software contains a flaw where it does not properly check the limits of data packets and attribute counts. An attacker who has paired a Bluetooth Classic connection can take advantage of this insufficient boundary check on the attr id parameter. This can lead to crashes and corruption of the attribute bitmap state. The vulnerability resides in the AVRCP Browsing Target GET FOLDER ITEMS handler.

Recommendations Update to version 1.8.1 or later.