Critical Vulnerabilities in Xiaomi’s Redmi Buds Expose Users to Data Breaches and Service Disruptions
Recent security analyses have identified significant vulnerabilities within the firmware of Xiaomi’s Redmi Buds series, encompassing models from the Redmi Buds 3 Pro to the latest Redmi Buds 6 Pro. These flaws in the Bluetooth implementation could allow unauthorized access to sensitive user data and enable attackers to disrupt device functionality.
Understanding the Vulnerabilities
The primary issues stem from the earbuds’ management of the RFCOMM protocol, a standard for serial data transmission over Bluetooth. Despite supporting standard profiles like Hands-Free Profile (HFP) and Advanced Audio Distribution Profile (A2DP), the firmware also monitors undocumented internal channels, potentially for auxiliary services.
CVE-2025-13834: Information Leak
This vulnerability arises from inadequate bounds checking within the firmware. When the earbuds receive a specially crafted TEST command with a manipulated length field on the control channel, the system fails to validate the request properly. Consequently, the firmware reads from uninitialized memory and returns up to 127 bytes of data to the sender. This out-of-bounds read can expose sensitive information, such as the phone numbers of active call participants.
CVE-2025-13328: Denial of Service (DoS)
This flaw is due to the firmware’s inability to handle high volumes of traffic. Attackers can flood the control or undocumented service channels with legitimate TEST commands or Modem Status Command signaling frames. This overwhelming traffic exhausts the device’s processing resources, leading to a firmware crash and disconnection from the paired device.
Technical Details and Impact
The exploitation of these vulnerabilities does not require authentication, PIN pairing, or user interaction. An attacker only needs the MAC address of the target earbuds, which can be obtained using standard Bluetooth sniffing tools. Tests have shown that attacks can be executed from approximately twenty meters away using standard dongles, though physical obstacles may reduce this range.
Operational Consequences
The information leak poses a significant privacy risk, especially for users engaged in private calls in public spaces. Attackers can repeatedly trigger the memory leak without the user’s knowledge. The DoS attack disrupts device availability, rendering the earbuds unresponsive and disconnected from the audio source. To restore functionality, users must place the earbuds back into their charging case to reset them, which becomes a considerable inconvenience if the attack is automated and repeated.
Current Status and Recommendations
As of the disclosure, Xiaomi has not provided a statement regarding a firmware patch or specific remediation plans. The vulnerabilities were identified by researchers Choongin Lee, Jiwoong Ryu, and Heejo Lee. Until a firmware update addresses these issues, users are advised to disable Bluetooth on their mobile devices when not actively using their earbuds, particularly in high-density public environments where the risk of local RF exploitation is highest.
