VYPR
← All advisories
Medium severity4.6NVD Advisory· Published Jun 10, 2026

CVE-2026-46532

CVE-2026-46532

Description

Espressif IDF's Bluedroid AVRCP parser has an out-of-bounds read vulnerability, allowing limited heap information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Espressif IDF's Bluedroid AVRCP parser has an out-of-bounds read vulnerability, allowing limited heap information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in the BlueDroid AVRCP vendor-command parser within the avrc_pars_vendor_cmd() function in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c [1]. The PDU handlers for AVRC_PDU_GET_CAPABILITIES and AVRC_PDU_LIST_PLAYER_APP_VALUES dereference the first payload byte before verifying the payload length is at least one. This allows a malformed AVRCP vendor command with a zero-length payload to cause the parser to read one byte past the end of the received message buffer. This affects Espressif IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, provided BlueDroid Classic Bluetooth and AVRCP target support are enabled [1].

Exploitation

An attacker with a paired BR/EDR connection and an established A2DP/AVRCP connection can issue a single malformed AVRCP vendor command [1]. By observing the AVRCP error status returned by the device, the attacker can infer whether the adjacent heap byte matches a valid AVRCP identifier. This process can be repeated across successive sessions to build a low-bandwidth signal about heap contents adjacent to the AVRCP receive buffer [1]. The attacker must hold a valid BR/EDR link key from prior pairing to establish the necessary connection [1].

Impact

Successful exploitation allows an attacker to gain limited information about heap contents adjacent to the AVRCP receive buffer through repeated probes and observation of error status codes [1]. Arbitrary memory contents are not directly disclosed, and code execution has not been demonstrated [1].

Mitigation

The vulnerability has been patched in Espressif IDF versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1 [1]. The specific commits addressing this issue are available at [2], [3], and [4].

References
  1. Heap Out-of-Bounds Read in Bluedroid AVRCP Target Parser
  2. fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd · espressif/esp-idf@c53d05a
  3. fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd · espressif/esp-idf@56053c4
  4. fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd · espressif/esp-idf@b0959b5

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Espressif/Esp Idfreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <5.2.7, <5.3.6, <5.4.5, <5.5.4, <6.0.1

Patches

6
c53d05ae5266

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
8746e5f7e762

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
7c004d3fe302

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
b0959b5ab1dc

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
56053c4d1f37

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
60f9362f83a0

fix(bt/bluedroid): fixed possible OOB read in avrc_pars_vendor_cmd

https://github.com/espressif/esp-idfJin ChengMar 10, 2026via nvd-ref
commit
1 file changed · +12 8
  • components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c+12 8 modified
    @@ -80,11 +80,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
 
     switch (p_result->pdu) {
     case AVRC_PDU_GET_CAPABILITIES:         /* 0x10 */
-        p_result->get_caps.capability_id = *p++;
-        if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->get_caps.capability_id = *p++;
+            if (!AVRC_IS_VALID_CAP_ID(p_result->get_caps.capability_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;
 
@@ -96,11 +98,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
         break;
 
     case AVRC_PDU_LIST_PLAYER_APP_VALUES:   /* 0x12 */
-        p_result->list_app_values.attr_id = *p++;
-        if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
-            status = AVRC_STS_BAD_PARAM;
-        } else if (len != 1) {
+        if (len < 1) {
             status = AVRC_STS_INTERNAL_ERR;
+        } else {
+            p_result->list_app_values.attr_id = *p++;
+            if (!AVRC_IS_VALID_ATTRIBUTE(p_result->list_app_values.attr_id)) {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;

Vulnerability mechanics

Root cause

"An out-of-bounds read occurs in the BlueDroid AVRCP vendor-command parser due to insufficient payload length validation."

Attack vector

An attacker with a paired BR/EDR connection and an established A2DP/AVRCP connection can send a malformed AVRCP vendor command with a zero-length payload [ref_id=1]. This malformed command triggers the out-of-bounds read in the `avrc_pars_vendor_cmd` function. By observing the AVRCP error response, the attacker can infer information about adjacent heap memory contents, potentially leading to a limited information disclosure or a denial-of-service condition [ref_id=1].

Affected code

The vulnerability resides in the `avrc_pars_vendor_cmd` function located in `components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c` [ref_id=1]. Specifically, the PDU handlers for `AVRC_PDU_GET_CAPABILITIES` and `AVRC_PDU_LIST_PLAYER_APP_VALUES` were affected by the lack of payload length validation before accessing the payload data [ref_id=1, ref_id=2, ref_id=3, ref_id=4].

What the fix does

The patch modifies the `avrc_pars_vendor_cmd` function to include a check for payload length before dereferencing the payload pointer [ref_id=2, ref_id=3, ref_id=4]. Specifically, it now verifies if the length is less than 1 for the `AVRC_PDU_GET_CAPABILITIES` and `AVRC_PDU_LIST_PLAYER_APP_VALUES` PDUs. This prevents the parser from reading beyond the received message buffer when a zero-length payload is provided, thereby closing the out-of-bounds read vulnerability and the associated information disclosure oracle [ref_id=1].

Preconditions

  • configBlueDroid Classic Bluetooth and AVRCP target support must be enabled (CONFIG_BT_AVRCP_ENABLED).
  • authThe attacker must possess a valid BR/EDR link key from prior pairing, acting as an authenticated peer.
  • networkThe attacker must be within Bluetooth radio range.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.