Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via MQTT but AC:H due to required message crafting knowledge; PR:N per CVSS 4.0 input; availability only, low impact as session crash may auto-recover.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in 78 xiaozhi-esp32 up to 2.2.6. This vulnerability affects the function Application::GetInstance of the file main/protocols/mqtt_protocol.cc of the component MQTT Goodbye Handler. Performing a manipulation of the argument session_id results in denial of service. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is now public and may be used. The patch is named e182471f8c5a22434346bd98da34d3b66c8c8b3e. It is recommended to apply a patch to fix this issue.
AnalysisAI
Denial-of-service in xiaozhi-esp32 MQTT firmware (versions up to 2.2.6) allows a remote attacker to crash the device's MQTT session handler by sending a crafted goodbye message containing a non-string session_id field. The MQTT Goodbye Handler in mqtt_protocol.cc fails to validate the cJSON type of the session_id node before dereferencing its valuestring member, producing undefined behavior that terminates the session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The device must be connected to an MQTT broker that the attacker can publish to, or the attacker must be positioned to inject MQTT messages into the device's communication channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P) yields a base score of 6.3, reflecting a network-reachable flaw requiring no privileges but significant attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the MQTT broker (or acting as a man-in-the-middle on the MQTT channel) publishes a crafted goodbye message to the device's subscribed topic where the session_id field is a JSON number or boolean rather than a string. The ESP32 firmware's cJSON parser returns a non-null node that fails the old NULL check, causing the firmware to dereference an invalid valuestring pointer and crash the MQTT session handler. … |
| Remediation | Apply the upstream patch commit e182471f8c5a22434346bd98da34d3b66c8c8b3e, available via GitHub pull request #2023 (https://github.com/78/xiaozhi-esp32/pull/2023). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Xiaozhi Esp32
View allSame weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39991
GHSA-rwf9-x45x-533w