Skip to main content

Apple CVE-2026-30867

| EUVDEUVD-2026-18235 MEDIUM
Reachable Assertion (CWE-617)
2026-04-02 security-advisories@github.com GHSA-r3fr-7m74-q7g2
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.2
EUVD ID Assigned
Apr 02, 2026 - 14:22 euvd
EUVD-2026-18235
Analysis Generated
Apr 02, 2026 - 14:22 vuln.today
CVE Published
Apr 02, 2026 - 14:16 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.

AnalysisAI

CocoaMQTT library versions prior to 2.2.2 allow remote denial of service when parsing malformed MQTT packets from a broker, causing immediate application crashes on iOS, macOS, and tvOS devices. An attacker or compromised MQTT broker can publish a 4-byte malformed payload with the RETAIN flag to persist it indefinitely, ensuring every vulnerable client that subscribes receives the crash-inducing packet, effectively bricking the application until manual intervention on the broker. The vulnerability requires an authenticated user context (PR:L in CVSS vector) but impacts application availability with high severity; patch version 2.2.2 is available.

Technical ContextAI

CocoaMQTT is a Swift-based MQTT 5.0 protocol client library for Apple platforms. The vulnerability resides in packet parsing logic (CWE-617: Reachable Assertion) that fails to validate malformed packet structures before processing them. MQTT brokers with message retention enabled (RETAIN flag) can persist specially crafted 4-byte payloads that trigger an assertion failure or unhandled exception during packet deserialization. When a client connects and subscribes to a topic containing such a retained message, the broker automatically pushes the malformed packet to the client, where the parsing code crashes before any application-level handling occurs. This is a state-persistence attack vector unique to MQTT's retention feature, allowing one-time malicious publication to affect all future subscribers.

RemediationAI

Upgrade CocoaMQTT to version 2.2.2 or later, which patches the packet parsing vulnerability. Users managing Swift projects should update their package dependencies via Swift Package Manager by specifying version 2.2.2 or higher in Package.swift or Xcode project settings. The fix is available in the official release at https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2. For applications already deployed, coordinate a software update to affected iOS/macOS/tvOS clients. Brokers should also review retention policies and access controls to prevent unauthorized message publication. No workarounds are available short of removing the library or disabling MQTT subscriptions.

Share

CVE-2026-30867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy