CISA alerts on Redmi Buds 3 Pro through 6 Pro vulnerabilities

Redmi Buds models 3 Pro through 6 Pro include an information-leak vulnerability and a Denial of Service (DoS) vulnerability in the Bluetooth firmware that can expose call-related data or cause repeatable firmware crashes when exploited over RFCOMM without pairing.

The advisory identifies two tracked flaws: CVE-2025-13834 and CVE-2025-13328 affecting Redmi Buds versions 3 Pro through 6 Pro. The devices present the advertised Bluetooth Classic profiles HFP, A2DP, and AVRCP and also expose additional, undocumented L2CAP/ RFCOMM channels. CVE-2025-13834 arises when the control channel (DLCI 0) receives a TEST command with a large length field but an empty payload; the faulty response handler returns a buffer of uninitialized memory allowing disclosure of up to 127 bytes per packet and is mechanistically related to CVE-2014-0160 (Heartbleed). CVE-2025-13328 results from RFCOMM flooding: overwhelming DLCI 0 with high volumes of legitimate TEST commands exhausts processing resources and crashes firmware, and other RFCOMM data channels can be flooded via Management System Certification (MSC) (Modem Status Command) signaling frames including the standard HFP channel and an undocumented Airoha auxiliary service channel.

Both vulnerabilities are exploitable by an unpaired, unauthenticated attacker within Bluetooth radio range without prior user interaction; the only prerequisite noted is obtaining the Monitoring-as-Code (MaC) address of the target device. The advisory reports successful exploitation at an approximate distance of twenty meters using standard dongles and no additional signal amplification while noting that physical barriers and Bluetooth version differences can be expected to influence the effective range. CVE-2025-13834 can disclose memory contents used during or after private calls, with a proof-of-concept shown retrieving the phone number of an active call peer and other metadata from the affected memory pool. CVE-2025-13328 can induce repeatable firmware crashes that forcibly terminate paired connections; restoring operation requires physically resetting the earbuds by returning them to the charging case.

Vendor contact and remediation status are unavailable: Xiaomi could not be reached for statements regarding remediation plans or mitigation guidance. The advisory does not report a vendor fix or patch in the notice.

The advisory restates recommended user actions: to reduce exposure, users are advised to disable Bluetooth when the earbuds are not in use, particularly in public or shared environments.