Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet.
To remediate this issue, users should upgrade to v5.0.1.
AnalysisAI
Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.
Technical ContextAI
coreMQTT is an open-source MQTT client library developed by FreeRTOS/Amazon for embedded and IoT applications. The vulnerability affects the MQTT v5.0 protocol property parsing functionality, where insufficient bounds checking can lead to out-of-bounds memory reads when processing specially crafted packets from MQTT brokers. CWE-125 indicates this is a classic buffer over-read vulnerability that can cause application crashes. The CPE identifier confirms all versions prior to 5.0.1 are affected.
RemediationAI
Upgrade coreMQTT to version 5.0.1 or later, available at https://github.com/FreeRTOS/coreMQTT/releases/tag/v5.0.1. For systems that cannot immediately upgrade, implement network segmentation to ensure MQTT clients only connect to trusted broker infrastructure. Monitor MQTT broker logs for suspicious activity and implement broker-side input validation where possible. Consider implementing connection retry logic with exponential backoff in client applications to mitigate the impact of denial of service attacks.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30581