VDE-2026-0001
Last update
18.02.2026 08:00
Published at
18.02.2026 08:00
Vendor(s)
Harman International
External ID
HBSA-2025-0003
CSAF Document
Summary
The Bluetooth Classic implementation on JBL Flip 4 devices with firmware version prior to 4.1.0 does not properly
handle malformed LMP messages and causes the entire device to crash. Any attacker in radio range can
exploit this vulnerability.
Impact
Any attacker in radio range can send malicious messages to cause the device to crash.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Flip 4 | JBL Flip 4 Firmware <4.1.0 |
Vulnerabilities
Expand / Collapse all
Published
18.02.2026 15:21
Severity
Weakness
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
Summary
Affected devices running firmware versions prior to 4.1.0 may crash and become unavailable when receiving specific malformed Bluetooth messages from an unauthenticated attacker.
References
Mitigation
There is no known mitigation at this moment.
Remediation
The vulnerability is fixed in firmware version 4.1.0.
Acknowledgments
Harman International thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Justus W. Perlwitz from JWP Consulting for reporting (see https://www.jwpconsulting.net/ )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 18.02.2026 08:00 | Initial release. |