Potential Risk of CVE

CVE-2025-13328: About multiplexer control commands from the ETSI TS 07.10 20th Jan 2026

Leave a comment

Mitre, NVD Official Published: 2026-01-16

Preface: ETSI TS 07.10 defines the multiplexer protocol for GSM networks, and DLCI 0 (Data Link Connection Identifier 0) specifically refers to the control channel used to manage multiple virtual serial sessions (like data, fax, voice) over a single physical serial link or its wireless emulation (like Bluetooth’s RFCOMM) to a device, essentially acting as the “local serial line” manager for those simultaneous connections on a smartphone or modem.

Background: In 2026, firmware-level flooding attacks over RFCOMM (Radio Frequency Communication) channels primarily exploit the device’s inability to handle excessive signaling and control traffic, leading to resource exhaustion or firmware crashes. These attacks typically occur without the need for prior pairing or authentication.

  1. Assumed earbuds firmware is the vulnerable component because it acts as the Responder on DLCI 0 and processes ETSI TS 07.10 control commands (like TEST) without proper limits.
  2. The attacker (or smartphone) sends the flooding traffic, but it’s lightweight for the sender—just repeated TEST frames.
  3. The earbuds do all the heavy lifting: parsing, allocating buffers, and responding. This leads to resource exhaustion on the earbuds, not on the smartphone.

The earbuds will run out of resources (CPU/memory) due to excessive TEST frames, not the smartphone.

Vulnerability details: This vulnerability is caused by the firmware’s susceptibility to flooding attacks over RFCOMM channels. When an attacker floods the standard control channel (DLCI 0) with a high volume of legitimate TEST commands, the device’s processing queue is overwhelmed, leading to resource exhaustion and a firmware crash that forcibly terminates paired user connections. Other active data channels across the device’s RFCOMM implementation are also vulnerable to flooding via MSC (Modem Status Command) signaling frames, including both the standard HFP (Hands-Free Profile) channel and an undocumented Airoha auxiliary service channel.

Official announcement: Please refer to the link for details –https://www.tenable.com/cve/CVE-2025-13328

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.