Description
A vulnerability was detected in 78 xiaozhi-esp32 up to 2.2.6. This vulnerability affects the function Application::GetInstance of the file main/protocols/mqtt_protocol.cc of the component MQTT Goodbye Handler. Performing a manipulation of the argument session_id results in denial of service. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is now public and may be used. The patch is named e182471f8c5a22434346bd98da34d3b66c8c8b3e. It is recommended to apply a patch to fix this issue.
Published: 2026-06-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified issue exists in the Application::GetInstance function within the MQTT Goodbye Handler component of 78:xiaozhi-esp32 firmware. By manipulating the session_id argument, an attacker can force the function to crash, causing a denial of service. This flaw is classified under CWE‑404 and allows a remote adversary to disrupt device operation without needing local access.

Affected Systems

Affected firmware versions are all releases up to and including 2.2.6 of the 78:xiaozhi-esp32 component. The problem is present in the MQTT protocol implementation shipped with those builds, as enumerated by the vendor's CPE string.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity resolution. EPSS is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can launch a remote DoS with relatively high complexity and difficult exploitability, but exploit code is publicly available. Applying the available patch mitigates the issue, yet interim monitoring of MQTT sessions is advised.

Generated by OpenCVE AI on June 28, 2026 at 13:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch (commit e182471f8c5a22434346bd98da34d3b66c8c8b3e) to the firmware.
  • Disable or restrict remote MQTT connections to vendors that do not need them, or configure firewall rules to limit access.
  • Implement monitoring of MQTT session activity to detect abnormal drops or restarts, and log any discrepancies for investigation.

Generated by OpenCVE AI on June 28, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in 78 xiaozhi-esp32 up to 2.2.6. This vulnerability affects the function Application::GetInstance of the file main/protocols/mqtt_protocol.cc of the component MQTT Goodbye Handler. Performing a manipulation of the argument session_id results in denial of service. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is now public and may be used. The patch is named e182471f8c5a22434346bd98da34d3b66c8c8b3e. It is recommended to apply a patch to fix this issue.
Title 78 xiaozhi-esp32 MQTT Goodbye mqtt_protocol.cc GetInstance denial of service
First Time appeared 78
78 xiaozhi-esp32
Weaknesses CWE-404
CPEs cpe:2.3:a:78:xiaozhi-esp32:*:*:*:*:*:*:*:*
Vendors & Products 78
78 xiaozhi-esp32
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

78 Xiaozhi-esp32
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T11:15:10.481Z

Reserved: 2026-06-27T16:04:15.073Z

Link: CVE-2026-13491

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:45:04Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release