Skip to main content

coreMQTT EUVDEUVD-2026-30581

| CVE-2026-8686 HIGH
Out-of-bounds Read (CWE-125)
2026-05-15 AMZN
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 15, 2026 - 19:33 vuln.today
Analysis Generated
May 15, 2026 - 19:33 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
7.5 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet.

To remediate this issue, users should upgrade to v5.0.1.

AnalysisAI

Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.

Technical ContextAI

coreMQTT is an open-source MQTT client library developed by FreeRTOS/Amazon for embedded and IoT applications. The vulnerability affects the MQTT v5.0 protocol property parsing functionality, where insufficient bounds checking can lead to out-of-bounds memory reads when processing specially crafted packets from MQTT brokers. CWE-125 indicates this is a classic buffer over-read vulnerability that can cause application crashes. The CPE identifier confirms all versions prior to 5.0.1 are affected.

RemediationAI

Upgrade coreMQTT to version 5.0.1 or later, available at https://github.com/FreeRTOS/coreMQTT/releases/tag/v5.0.1. For systems that cannot immediately upgrade, implement network segmentation to ensure MQTT clients only connect to trusted broker infrastructure. Monitor MQTT broker logs for suspicious activity and implement broker-side input validation where possible. Consider implementing connection retry logic with exponential backoff in client applications to mitigate the impact of denial of service attacks.

Share

EUVD-2026-30581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy