Security researchers have uncovered significant vulnerabilities in the firmware of Xiaomi’s popular Redmi Buds series, specifically affecting models ranging from the Redmi Buds 3 Pro up to the latest Redmi Buds 6 Pro.
The discovery highlights critical flaws in the Bluetooth implementation of these devices, allowing attackers to access sensitive information or force the devices offline. These exploits leverage the RFCOMM protocol and can be executed by an attacker within radio range without ever pairing with the target device.
Redmi Buds Vulnerability
The core of the issue lies in how the Redmi Buds firmware manages the RFCOMM control and signaling mechanisms. While the product specifications advertise standard support for profiles like HFP and A2DP, the devices actively monitor undocumented internal channels likely used for auxiliary services.
The first vulnerability, tracked as CVE-2025-13834, is an information leak caused by improper bounds checking. This flaw functions similarly to the infamous Heartbleed bug found in web servers years ago.
When the device receives a specifically crafted TEST command with a manipulated length field on its control channel, the firmware fails to validate the request properly.
Instead of rejecting the malformed packet, the system reads from uninitialized memory and returns up to 127 bytes of data to the attacker. This out-of-bounds read can expose highly sensitive information residing in the memory pool, including the phone numbers of active call peers.
The second vulnerability, CVE-2025-13328, is a Denial of Service (DoS) flaw resulting from the firmware’s inability to handle high-volume traffic.
Attackers can flood the standard control channel or undocumented service channels with legitimate TEST commands or Modem Status Command signaling frames.
This flood overwhelms the device’s processing queue, leading to resource exhaustion. The result is a firmware crash that forcibly disconnects the user from their paired device.
| CVE ID | Vulnerability Type | Impact | Severity |
|---|---|---|---|
| CVE-2025-13834 | Information Leak | Allows attackers to read uninitialized memory, potentially exposing phone numbers and metadata. | Critical |
| CVE-2025-13328 | Denial of Service | Enables attackers to crash firmware and force device disconnection via packet flooding. | High |
Exploitation and Operational Impact
The most alarming aspect of these vulnerabilities is the low barrier to entry for potential attackers. Exploitation does not require authentication, PIN pairing, or any user interaction.
An attacker only requires the MAC address of the target earbuds, which can be easily obtained using standard Bluetooth sniffing tools.
Tests conducted by researchers demonstrated that these attacks could be successfully executed from approximately twenty meters away using standard dongles, though obstacles like walls may reduce this range.
The operational impact on the user varies from privacy invasion to persistent disruption. The information leak poses a confidentiality risk, particularly for users conducting private calls in public spaces.
The attacker can repeatedly trigger the memory leak without the user noticing. Conversely, the Denial of Service attack disrupts availability. Once the firmware crashes, the earbuds become unresponsive and disconnect from the audio source, according to the CERT/CC note.
To restore functionality, the user must physically place the earbuds back into their charging case to initiate a reset, creating a significant nuisance if the attack is automated and repeated.
As of the disclosure of these findings, Xiaomi has not provided a statement regarding a firmware patch or specific remediation plans. The vulnerabilities were credited to researchers Choongin Lee, Jiwoong Ryu, and Heejo Lee.
Until a firmware update addresses the improper bounds-checking and resource-management issues, users are advised to disable Bluetooth on their mobile devices when not actively using their earbuds, especially in high-density public environments where the risk of local RF exploitation is highest.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
