Software Engineering Institute

Overview

Redmi Buds, a series of Bluetooth earbuds produced and sold by Xiaomi, contain an Information Leak vulnerability and a Denial of Service (DoS) vulnerability in versions 3 Pro through 6 Pro. An attacker within Bluetooth radio range can send specially crafted RFCOMM protocol interactions to the device's internal channels without prior pairing or authentication, enabling the exposure of sensitive call-related data or triggering repeatable firmware crashes.

Description

The two vulnerabilities originate from the firmware's improper management of RFCOMM control and signaling mechanisms. The product specifications for Redmi Buds advertise support for the Bluetooth Classic profiles HFP, A2DP, and AVRCP, but direct experimentation has also confirmed the presence of additional, undocumented L2CAP/ RFCOMM channels active on the devices. These channels were likely implemented to facilitate auxiliary services or legacy audio support; vendor-specific internal interfaces are not required to be publicized in consumer product pages.

CVE-2025-13834 This vulnerability is the result of flawed bounds checking during the internal handling of abnormal RFCOMM TEST commands. When the device's control channel (DLCI 0) receives a TEST command with a large length field but an empty payload, its faulty response handler returns a buffer of uninitialized memory. An attacker can exploit this behavior to steal up to 127 bytes of potentially sensitive data, such as the phone number of a user's active call peer, with a single packet. Notably, the mechanism of this vulnerability is closely related to the infamous Heartbleed bug (CVE-2014-0160). Like Heartbleed, this flaw originates from blind trust in a packet's length field without adequate bounds checking, resulting in an out-of-bounds read and unintended memory disclosure.

CVE-2025-13328 This vulnerability is caused by the firmware's susceptibility to flooding attacks over RFCOMM channels. When an attacker floods the standard control channel (DLCI 0) with a high volume of legitimate TEST commands, the device's processing queue is overwhelmed, leading to resource exhaustion and a firmware crash that forcibly terminates paired user connections. Other active data channels across the device's RFCOMM implementation are also vulnerable to flooding via MSC (Modem Status Command) signaling frames, including both the standard HFP (Hands-Free Profile) channel and an undocumented Airoha auxiliary service channel.

Impact

Both vulnerabilities can be exploited by an unpaired, unauthenticated attacker within Bluetooth radio range without prior user interaction. The only prerequisite for exploitation is obtaining the MAC address of the target device, which can be discovered through basic Bluetooth sniffing tools. During testing with standard dongles and no additional signal amplification, exploitation was achieved at an approximate distance of twenty meters; however, physical barriers and Bluetooth version differences can be expected to influence the effective range.

The uninitialized memory dumped by CVE-2025-13834 threatens the confidentiality of Redmi Buds users during or after private calls, as demonstrated by a PoC used to obtain the phone number of a user's active call peer. Any other metadata that utilizes this memory pool is vulnerable to exposure, and the attack can be triggered repeatedly without alerting the user. This vulnerability demonstrates the susceptibility of IoT protocol stacks to the class of "missing bounds check" or "buffer over-read" flaws famously exemplified by Heartbleed in web servers. It represents a critical oversight in memory management within the Redmi Buds Bluetooth firmware.

The DoS vulnerability, CVE-2025-13328, can be exploited to the detriment of device availability for legitimate users, inducing repeatable firmware crashes that forcibly disconnect all paired devices. To restore functionality, the earbuds must be physically reset by returning them to the charging case.

Solution

Xiaomi could not be reached for statements regarding remediation plans or mitigation guidance. To reduce exposure, users are advised to disable Bluetooth when the earbuds are not in use, particularly in public or shared environments.

Acknowledgements

Thanks to Choongin Lee, Jiwoong Ryu, and Heejo Lee for discovering, researching, and reporting these vulnerabilities. This document was written by Molly Jaconski.

Vendor Information

References

• https://www.kb.cert.org/vuls/id/720951/