{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54412", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-06-13T16:39:46.122Z", "datePublished": "2026-06-14T17:26:36.740Z", "dateUpdated": "2026-06-15T17:01:16.924Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-14T17:27:35.016Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "A remote attacker controlling an MQTT broker - or able to inject one PUBLISH packet into an unencrypted MQTT session a victim has subscribed to - crashes a subscribed MQTT-C client by sending a single crafted PUBLISH packet whose topic_name_size exceeds the remaining_length field. The vulnerable client advances the parse pointer into unmapped heap memory (out-of-bounds read primitive that may also disclose adjacent heap bytes), then computes application_message_size as an unsigned subtraction that underflows to a value near 2^32, and finally passes that value to memmove(), crashing the process. Any IoT or embedded device built on MQTT-C that connects to a shared, untrusted, or compromised broker is reachable for repeated, unauthenticated denial of service."}]}], "affected": [{"vendor": "LiamBindle", "product": "MQTT-C", "collectionURL": "https://github.com/LiamBindle/MQTT-C", "repo": "https://github.com/LiamBindle/MQTT-C", "programFiles": ["src/mqtt.c"], "programRoutines": [{"name": "mqtt_unpack_publish_response"}], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the <code>mqtt_unpack_publish_response()</code> function in <code>src/mqtt.c</code> that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header <code>remaining_length</code> is at least 4, then reads the 16-bit <code>topic_name_size</code> field from the broker-controlled packet and advances the parse pointer by that value without verifying that <code>topic_name_size</code> plus the surrounding overhead fits within <code>remaining_length</code>; it subsequently computes <code>application_message_size</code> as <code>remaining_length - topic_name_size - 2</code> (QoS 0) or <code>- 4</code> (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to <code>memmove()</code>. A PUBLISH packet with <code>topic_name_size = 0xFFFF</code> and <code>remaining_length = 7</code> advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an <code>application_message_size</code> near 2^32, crashing the process when the resulting <code>memmove()</code> is executed.&nbsp;</p>"}]}], "references": [{"url": "https://github.com/LiamBindle/MQTT-C", "name": "LiamBindle/MQTT-C - upstream repository (unmaintained since 2022-10-27)", "tags": ["product"]}, {"url": "https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334", "name": "Vulnerable mqtt_unpack_publish_response() in src/mqtt.c (v1.1.6)", "tags": ["product"]}, {"url": "https://cwe.mitre.org/data/definitions/125.html", "name": "CWE-125: Out-of-bounds Read", "tags": ["technical-description"]}, {"url": "https://cwe.mitre.org/data/definitions/191.html", "name": "CWE-191: Integer Underflow (Wrap or Wraparound)", "tags": ["technical-description"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "A malicious MQTT broker, or a network attacker capable of injecting a single MQTT PUBLISH packet into an unencrypted session that the victim client has subscribed to, sends one crafted packet with topic_name_size = 0xFFFF and remaining_length = 7 to crash an MQTT-C-based client process and optionally disclose adjacent heap bytes through the out-of-bounds read primitive."}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}}], "credits": [{"lang": "en", "value": "Saidakbarxon Maxsudxonov", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}, "x_author": "Saidakbarxon Maxsudxonov", "x_assigner_notes": "The vulnerable mqtt_unpack_publish_response() body was verified at exactly the v1.1.6 release tag and at master HEAD; the two are byte-identical for this function. The function performs only a 'remaining_length >= 4' fixed-header sanity check (mqtt.c:1349) and then trusts the broker-controlled 16-bit topic_name_size field at mqtt.c:1354 both as a pointer offset (mqtt.c:1357) and as a subtrahend in the unsigned application_message_size computation (mqtt.c:1367/1369). The last commit to LiamBindle/MQTT-C on master is dated 2022-10-27; the project appears unmaintained and no upstream fix is available. defaultStatus is 'unknown' pending vendor confirmation. CVSS 4.0 is scored 8.7 HIGH and CVSS 3.1 is scored 8.2 HIGH, treating the OOB read as VC:L/C:L (limited heap-byte disclosure subject to allocator layout, often masked by the immediately following crash) and the integer-underflow-driven memmove() crash as VA:H/A:H. Mitigation guidance for downstream consumers: validate topic_name_size + 2 + (qos_level > 0 ? 2 : 0) <= remaining_length before using topic_name_size as a pointer offset or as a subtrahend, or migrate to a maintained MQTT client library (e.g. Eclipse Paho MQTT C, libmosquitto)."}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T17:01:08.771614Z", "id": "CVE-2026-54412", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T17:01:16.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Saidakbarxon Maxsudxonov"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A remote attacker controlling an MQTT broker - or able to inject one PUBLISH packet into an unencrypted MQTT session a victim has subscribed to - crashes a subscribed MQTT-C client by sending a single crafted PUBLISH packet whose topic_name_size exceeds the remaining_length field. The vulnerable client advances the parse pointer into unmapped heap memory (out-of-bounds read primitive that may also disclose adjacent heap bytes), then computes application_message_size as an unsigned subtraction that underflows to a value near 2^32, and finally passes that value to memmove(), crashing the process. Any IoT or embedded device built on MQTT-C that connects to a shared, untrusted, or compromised broker is reachable for repeated, unauthenticated denial of service."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.8, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "A malicious MQTT broker, or a network attacker capable of injecting a single MQTT PUBLISH packet into an unencrypted session that the victim client has subscribed to, sends one crafted packet with topic_name_size = 0xFFFF and remaining_length = 7 to crash an MQTT-C-based client process and optionally disclose adjacent heap bytes through the out-of-bounds read primitive."}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/LiamBindle/MQTT-C", "vendor": "LiamBindle", "product": "MQTT-C", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.6"}], "programFiles": ["src/mqtt.c"], "collectionURL": "https://github.com/LiamBindle/MQTT-C", "defaultStatus": "unknown", "programRoutines": [{"name": "mqtt_unpack_publish_response"}]}], "x_author": "Saidakbarxon Maxsudxonov", "references": [{"url": "https://github.com/LiamBindle/MQTT-C", "name": "LiamBindle/MQTT-C - upstream repository (unmaintained since 2022-10-27)", "tags": ["product"]}, {"url": "https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334", "name": "Vulnerable mqtt_unpack_publish_response() in src/mqtt.c (v1.1.6)", "tags": ["product"]}, {"url": "https://cwe.mitre.org/data/definitions/125.html", "name": "CWE-125: Out-of-bounds Read", "tags": ["technical-description"]}, {"url": "https://cwe.mitre.org/data/definitions/191.html", "name": "CWE-191: Integer Underflow (Wrap or Wraparound)", "tags": ["technical-description"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.", "supportingMedia": [{"type": "text/html", "value": "<p>LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the <code>mqtt_unpack_publish_response()</code> function in <code>src/mqtt.c</code> that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header <code>remaining_length</code> is at least 4, then reads the 16-bit <code>topic_name_size</code> field from the broker-controlled packet and advances the parse pointer by that value without verifying that <code>topic_name_size</code> plus the surrounding overhead fits within <code>remaining_length</code>; it subsequently computes <code>application_message_size</code> as <code>remaining_length - topic_name_size - 2</code> (QoS 0) or <code>- 4</code> (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to <code>memmove()</code>. A PUBLISH packet with <code>topic_name_size = 0xFFFF</code> and <code>remaining_length = 7</code> advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an <code>application_message_size</code> near 2^32, crashing the process when the resulting <code>memmove()</code> is executed.&nbsp;</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-14T17:27:35.016Z"}, "x_assigner_notes": "The vulnerable mqtt_unpack_publish_response() body was verified at exactly the v1.1.6 release tag and at master HEAD; the two are byte-identical for this function. The function performs only a 'remaining_length >= 4' fixed-header sanity check (mqtt.c:1349) and then trusts the broker-controlled 16-bit topic_name_size field at mqtt.c:1354 both as a pointer offset (mqtt.c:1357) and as a subtrahend in the unsigned application_message_size computation (mqtt.c:1367/1369). The last commit to LiamBindle/MQTT-C on master is dated 2022-10-27; the project appears unmaintained and no upstream fix is available. defaultStatus is 'unknown' pending vendor confirmation. CVSS 4.0 is scored 8.7 HIGH and CVSS 3.1 is scored 8.2 HIGH, treating the OOB read as VC:L/C:L (limited heap-byte disclosure subject to allocator layout, often masked by the immediately following crash) and the integer-underflow-driven memmove() crash as VA:H/A:H. Mitigation guidance for downstream consumers: validate topic_name_size + 2 + (qos_level > 0 ? 2 : 0) <= remaining_length before using topic_name_size as a pointer offset or as a subtrahend, or migrate to a maintained MQTT client library (e.g. Eclipse Paho MQTT C, libmosquitto)."}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T17:01:08.771614Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-15T17:01:11.558Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-54412", "state": "PUBLISHED", "dateUpdated": "2026-06-14T17:27:35.016Z", "dateReserved": "2026-06-13T16:39:46.122Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-06-14T17:26:36.740Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed."}], "id": "CVE-2026-54412", "lastModified": "2026-06-16T15:36:43.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-06-14T18:17:20.750", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://cwe.mitre.org/data/definitions/125.html"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://cwe.mitre.org/data/definitions/191.html"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/LiamBindle/MQTT-C"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"created": "2026-06-14T19:30:14.414663+00:00", "updated": "2026-06-14T19:30:14.414675+00:00", "vendors": []}