Skip to main content

MQTT-C CVE-2026-54412

| EUVD-2026-36663 HIGH
Out-of-bounds Read (CWE-125)
2026-06-14 TuranSec GHSA-28cw-rpqc-wqqj
Information Disclosure Buffer Overflow Mqtt C
7.8
CVSS 4.0 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X
vuln.today AI
6.5 MEDIUM

AC:H reflects that exploitation requires controlling the victim's MQTT broker or achieving MitM network position - neither is trivial opportunistic access.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 14, 2026 - 18:29 vuln.today

DescriptionCVE.org

LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.

AnalysisAI

Heap-based out-of-bounds read and integer underflow in LiamBindle MQTT-C (all versions through 1.1.6) allows a remote attacker who controls an MQTT broker - or who can inject packets into an unencrypted MQTT session - to crash any subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single specially crafted PUBLISH packet. The flaw resides in mqtt_unpack_publish_response() in src/mqtt.c, where the broker-supplied 16-bit topic_name_size field is used to advance a parse pointer without validating it fits within the packet's remaining_length, and the subsequent unsigned subtraction to derive application_message_size wraps to near 2^32 and is passed directly to memmove(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operate or compromise target MQTT broker (or achieve MitM position)
Delivery
Victim MQTT-C client connects and subscribes to topic
Exploit
Send single crafted PUBLISH packet (topic_name_size=0xFFFF, remaining_length=7)
Execution
Parser advances 65535 bytes past receive buffer into adjacent heap memory
Persist
Unsigned underflow produces application_message_size ≈ 2^32
Impact
memmove() with ~2^32 size crashes client process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim application must be built against MQTT-C version 1.1.6 or earlier and must be operating as a subscribing MQTT client - specifically, it must have called mqtt_subscribe() and be processing incoming PUBLISH packets from a broker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 7.8 (High) reflects network delivery, no privilege requirement, and high availability impact with low confidentiality impact, which is broadly accurate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker spins up a public MQTT broker and waits for MQTT-C-based IoT devices to connect, or compromises an existing broker serving a fleet of devices; alternatively, an attacker on the same LAN uses ARP spoofing to intercept an unencrypted MQTT session on port 1883. Once in the broker role or injection position, the attacker sends a single PUBLISH packet with topic_name_size set to 0xFFFF and remaining_length set to 7, causing the client's mqtt_unpack_publish_response() to dereference 65,535 bytes past the receive buffer and subsequently call memmove() with a size near 2^32, instantly crashing the client process. …
Remediation No vendor-released patched version of MQTT-C has been identified at time of analysis; the available references link only to the upstream repository at https://github.com/LiamBindle/MQTT-C and the specific vulnerable source line, with no associated fix commit, patch advisory, or tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all systems deploying LiamBindle MQTT-C through v1.1.6 and map their network connectivity to MQTT brokers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54412 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy