CVE-2026-54412

June 14, 2026, 6:17 p.m.

7.8
High

Description

LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.

Product(s) Impacted

Vendor Product Versions
Liambindle
  • Mqtt-c
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a liambindle mqtt-c / / / / / / / /

References

https://cwe.mitre.org/data/definitions/125.html
https://cwe.mitre.org/data/definitions/191.html
https://github.com/LiamBindle/MQTT-C
https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334

Tags

CWE-125
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
2026-06-14
CVE-2026-54412

CVSS Score

7.8 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: PROOF_OF_CONCEPT

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X

    View Vector String

Timeline

Published: June 14, 2026, 6:17 p.m.
Last Modified: June 14, 2026, 6:17 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.