Bluetooth Stack Vulnerability in Volkswagen MIB3 Infotainment System
CVE-2023-28909

8HIGH

Key Information:

Vendor: Preh Car Connect Gmbh (joynext Gmbh)
Status: Volkswagen Mib3 Infotainment System Mib3 Oi MQb
Vendor: CVE Published:; 28 June 2025

🔔 Create Preh Car Connect Gmbh (joynext Gmbh) Vulnerability Alert

What is CVE-2023-28909?

A flaw in the Bluetooth stack of Volkswagen's MIB3 infotainment unit arises from inadequate validation of user-supplied data. This weakness can lead to integer overflow when fragmented HCI packets are received on a channel, enabling attackers to bypass MTU checks where fragmentation is enabled. Exploiting this vulnerability could result in a buffer overflow on upper layer profiles, thereby permitting remote code execution. Affected systems include various OEM part numbers, notably the Skoda Superb III unit with part number 3V0035820, raising significant cybersecurity concerns.

Affected Version(s)

Volkswagen MIB3 infotainment system MIB3 OI MQB 0 <= 0304

References

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishc...

https://pcacybersecurity.com/resources/advisory/vulnerabi...

technical-description

https://asrg.io/security-advisories/vulnerabilities-in-vo...

third-party-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2025
Vulnerability Reserved
Mar 27, 2023

Credit

Mikhail Evdokimov from PCA Cyber Security (PCAutomotive)