Security measures helpless against critical Xiaomi Redmi Buds vulnerability

Published: 10 February 2026
Bluetooth pairing earbuds, airpods
Image by AnotherExperience Studio | Shutterstock

The Korea Internet & Security Agency (KISA) has issued an urgent advisory following the discovery of critical security flaws in several generations of Xiaomi wireless earbuds. In a recent notice, the agency warned that because no official security patch is yet available, users should "disable Bluetooth in public places when not using earphones."

The flaws affect a wide range of Xiaomi’s "Pro" lineup of wireless earbuds, including the Redmi Buds 3 Pro, 4 Pro, 5 Pro, and 6 Pro. Although the 3 Pro and 4 Pro were released several years ago, these models remain staples of the secondary market, and the 5 Pro and 6 Pro are still actively sold through official global channels and major retailers in 2026.

Data sniffing and kill switch

ADVERTISEMENT

The vulnerabilities, documented by the US CERT Coordination Center last month, allow an attacker within Bluetooth range to bypass all standard security hurdles. No pairing or authentication is required to exploit the devices.

The first flaw, CVE-2025-13834, is a Heartbleed-style information leak issue. When the earbuds' control channel receives a specific "TEST" command with a large length field but an empty payload, the device returns a buffer of uninitialized memory.

Bluetooth pairing
Image by Dabarti CGI | Shuterstock

Researchers from Korea University, who discovered the bug, warned that an attacker can exploit this out-of-bounds read to steal up to 127 bytes of data, including the phone number of a user's active call peer, with a single malicious packet.

The second bug, CVE-2025-13328, acts as a remote kill switch. By flooding the device with a high volume of commands, an attacker can overwhelm the device's processing queue. This leads to a complete firmware crash that forcibly terminates paired user connections.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

According to reports, Xiaomi has attributed the issues to a "nonstandard configuration of Google Fast Pair by some chip suppliers," and confirmed it is currently working on an over-the-air (OTA) update to fix the bug.

This incident mirrors a growing trend of “silent" exploits targeting Bluetooth devices. Previous investigations into Google’s Fast Pair protocol have similarly shown how unauthenticated protocols can be weaponized to hijack audio and even track users.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
US regulator reviews school internet funding over children's screen time
Bernard Meyer: “Trust me, not everyone will make it through the AI transition”
Experts say EU remains years away from technological independence despite sovereignty plans
Pentesters turn up the heat on Shelly as Bluetooth thermostat flaw leaves smart homes exposed
Researcher easily finds five OpenClaw zero-days just as Microsoft expands its use of platform
Passwords and locations at risk in alleged Grindr data leak
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked