CVE-2026-28528 identifies a security vulnerability in BlueKitchen GmbH's BTstack, a widely used Bluetooth protocol stack implementation. The vulnerability is an out-of-bounds read (CWE-125) occurring in the AVRCP (Audio/Video Remote Control Profile) Browsing Target GET_FOLDER_ITEMS handler. This handler is responsible for processing requests to browse media folders over Bluetooth Classic connections. The flaw stems from a failure to properly validate packet boundaries and the attribute count data, specifically the attr_id parameter, which is used to index attributes in the browsing response. When an attacker with a paired Bluetooth Classic connection sends crafted packets exploiting this insufficient bounds checking, it can cause the BTstack to read memory beyond the intended buffer limits. This can lead to application crashes (denial of service) and corruption of the attribute bitmap state, potentially destabilizing the Bluetooth service or connected applications. The vulnerability does not require authentication but does require user interaction (UI) and a paired connection, limiting remote exploitation scope. The CVSS 4.0 vector indicates an attack vector of adjacent (Bluetooth), low attack complexity, no privileges required, but user interaction needed. The impact on confidentiality is none, with low integrity and availability impacts. No known exploits have been reported, and no patches are currently available, suggesting the vulnerability is newly disclosed. The affected product is BTstack, which is embedded in various Bluetooth-enabled devices and applications, especially in embedded and IoT environments.

The primary impact of CVE-2026-28528 is potential denial of service through crashes of the Bluetooth stack or corruption of internal state, which can disrupt Bluetooth media browsing functionality. While the vulnerability does not directly lead to remote code execution or data leakage, the instability caused could degrade user experience or interrupt critical Bluetooth services. Devices relying on BTstack for media control over Bluetooth Classic connections, such as automotive infotainment systems, consumer electronics, and embedded IoT devices, may experience service interruptions. In environments where Bluetooth connectivity is critical for operations, such as connected vehicles or industrial control systems, this could have operational consequences. However, the requirement for a paired connection and user interaction limits the attack surface to scenarios where an attacker has already established a trusted relationship or social engineering is possible. There is no evidence of widespread exploitation, reducing immediate risk, but organizations should remain vigilant given the potential for denial of service and future exploit development.

Organizations using BTstack should immediately assess their exposure by identifying devices and applications incorporating this Bluetooth stack, especially those supporting AVRCP browsing over Bluetooth Classic. Since no patches are currently available, temporary mitigations include restricting Bluetooth pairing to trusted devices only and disabling AVRCP browsing features if feasible. Network segmentation and Bluetooth access controls can limit exposure to untrusted devices. Monitoring Bluetooth connection logs for unusual pairing or browsing requests may help detect attempted exploitation. Vendors and integrators should prioritize applying patches once released by BlueKitchen GmbH. Additionally, implementing robust input validation and boundary checks in Bluetooth protocol handlers is critical to prevent similar vulnerabilities. For high-security environments, consider disabling Bluetooth Classic or limiting its use to essential functions only until a fix is available.