Description
In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service.
Published: 2026-05-18
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the tinyMQTT broker causes it to leave a TCP socket open after responding with a CONNACK return code 0x02 for a CONNECT packet that has a zero‑length Client ID and sets CleanSession to 0. The resulting open socket remains attached to the broker process's file descriptor table, creating a resource leak that grows with each malformed CONNECT attempt. The weakness is classified as erroneous resource handling and failure to release connections, which can be exploited to exhaust server file descriptors and memory, ultimately leading to service interruption.

Affected Systems

The vulnerable code is present in tinyMQTT versions that include commit 6226ade15bd4f97be2d196352e64dd10937c1962, dated 18 February 2024. Any build that has not incorporated the follow‑up patch that closes the connection after a 0x02 CONNACK is affected. The project is hosted on GitHub and does not list a formal vendor; it is an open‑source broker distribution.

Risk and Exploitability

Based on the description, it is inferred that the issue can be triggered remotely by an authenticated or unauthenticated client simply by sending the malformed CONNECT packet over the network. No special privileges are required. Because each request keeps a socket open, an attacker can repeatedly send them to accumulate a large number of file descriptors, consuming memory and potentially causing the broker to fail or crash. The CVSS score is 7.5, indicating a medium‑to‑high impact. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The exploit path is straightforward: the broker always replies with a standard CONNACK, meaning the attacker can continue to send malformed packets until resources are exhausted.

Generated by OpenCVE AI on May 18, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed version of tinyMQTT that closes sockets after sending a CONNACK return code 0x02 for a zero‑length Client ID with CleanSession set to 0.
  • If an upgrade is not possible, patch the broker source to add an explicit call to close the TCP connection immediately after sending the CONNACK for the described error condition.
  • Implement rate limiting or a connection‑throttle policy to cap the number of CONNECT attempts per IP address, and monitor the broker’s open file descriptor count to detect abnormal growth.

Generated by OpenCVE AI on May 18, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title tinyMQTT Broker Resource Exhaustion via Malformed CONNECT Packet

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Open TCP Connection Leakage Causes Denial of Service in tinyMQTT via Malformed CONNECT
Weaknesses CWE-770

Mon, 18 May 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Justdoit0910
Justdoit0910 tinymqtt
Vendors & Products Justdoit0910
Justdoit0910 tinymqtt

Mon, 18 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Open TCP Connection Leakage Causes Denial of Service in tinyMQTT via Malformed CONNECT
Weaknesses CWE-400
CWE-770

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service.
References

Subscriptions

Justdoit0910 Tinymqtt
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-18T17:27:28.823Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56352

cve-icon Vulnrichment

Updated: 2026-05-18T17:23:38.551Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T16:16:29.130

Modified: 2026-05-18T20:27:23.023

Link: CVE-2025-56352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T21:30:15Z

Weaknesses