Redmi Buds Flaw Exposes Call Data & Vulnerability Allow

Significant firmware vulnerabilities have been identified by security researchers across Xiaomi’s popular Redmi Buds series. These flaws affect models from the Redmi Buds 3 Pro to the latest Redmi Buds 6 Pro.

The discovery highlights critical flaws in the Bluetooth implementation of these devices, allowing attackers to access sensitive information or force the devices offline. These exploits leverage the RFCOMM protocol and can be executed by an attacker within radio range without ever pairing with the target device.

Redmi Buds Vulnerability

The core of the issue lies in how the Redmi Buds firmware manages the RFCOMM control and signaling mechanisms. While the product specifications advertise standard support for profiles like HFP and A2DP, the devices actively monitor undocumented internal channels likely used for auxiliary services.

The first vulnerability, tracked as CVE-2025-13834, is an information leak caused by improper bounds checking. This flaw functions similarly to the infamous Heartbleed bug found in web servers years ago.

When the device receives a specifically crafted TEST command with a manipulated length field on its control channel, the firmware fails to validate the request properly.

Instead of rejecting the malformed packet, the system reads from uninitialized memory and returns up to 127 bytes of data to the attacker. This out-of-bounds read can expose highly sensitive information residing in the memory pool, including the phone numbers of active call peers.

The second vulnerability, CVE-2025-13328, is a Denial of Service (DoS) flaw resulting from the firmware’s inability to handle high-volume traffic.

Attackers can flood the standard control channel or undocumented service channels with legitimate TEST commands or Modem Status Command signaling frames.

This flood overwhelms the device’s processing queue, leading to resource exhaustion. The result is a firmware crash that forcibly disconnects the user from their paired device.

Exploitation and Operational Impact

The most alarming aspect of these vulnerabilities is the low barrier to entry for potential attackers. Exploitation does not require authentication, PIN pairing, or any user interaction.

An attacker only requires the MAC address of the target earbuds, which can be easily obtained using standard Bluetooth sniffing tools.

Tests conducted by researchers demonstrated that these attacks could be successfully executed from approximately twenty meters away using standard dongles, though obstacles like walls may reduce this range.

The operational impact on the user varies from privacy invasion to persistent disruption. The information leak poses a confidentiality risk, particularly for users conducting private calls in public spaces.

The attacker can repeatedly trigger the memory leak without the user noticing. Conversely, the Denial of Service attack disrupts availability. Once the firmware crashes, the earbuds become unresponsive and disconnect from the audio source, according to the CERT/CC note.

To restore functionality, the user must physically place the earbuds back into their charging case to initiate a reset, creating a significant nuisance if the attack is automated and repeated.

As of the disclosure of these findings, Xiaomi has not provided a statement regarding a firmware patch or specific remediation plans. The vulnerabilities were credited to researchers Choongin Lee, Jiwoong Ryu, and Heejo Lee.

Until a firmware update addresses the improper bounds-checking and resource-management issues, users are advised to disable Bluetooth on their mobile devices when not actively using their earbuds, especially in high-density public environments where the risk of local RF exploitation is highest.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.