CVE-2026-54412
MQTT-C Heap Out-of-Bounds Read and Integer Underflow
Description
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
INFO
Published Date :
June 14, 2026, 6:17 p.m.
Last Modified :
June 14, 2026, 6:17 p.m.
Remotely Exploit :
Yes !
Source :
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Affected Products
The following products are affected by CVE-2026-54412
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c | ||||
| CVSS 3.1 | HIGH | MITRE-CVE | ||||
| CVSS 4.0 | HIGH | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c | ||||
| CVSS 4.0 | HIGH | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c |
Solution
- Update MQTT-C to a version later than 1.1.6.
- Apply vendor patches for the identified vulnerability.
- Validate packet handling logic for remaining_length.
- Ensure topic name size checks prevent buffer overflows.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-54412.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-54412 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-54412
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-54412 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-54412 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Jun. 14, 2026
Action Type Old Value New Value Added Description LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Added CWE CWE-125 Added CWE CWE-191 Added Reference https://cwe.mitre.org/data/definitions/125.html Added Reference https://cwe.mitre.org/data/definitions/191.html Added Reference https://github.com/LiamBindle/MQTT-C Added Reference https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334