Description
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
Published: 2026-04-02
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through remote client crash
Action: Immediate Patch
AI Analysis

Impact

CocoaMQTT contains a flaw in its packet parsing logic that triggers a reachable assertion when a 4‑byte malformed payload is received on a topic marked with the RETAIN flag. The assertion causes the client application to crash in the background, resulting in a persistent denial of service that prevents the user from interacting with the app until the malformed message is removed from the broker. This weakness is classified as CWE‑617, an Improper Handling of Assertion issue.

Affected Systems

The vulnerability affects the CocoaMQTT Swift MQTT client library used in iOS, macOS, and tvOS applications. Versions prior to 2.2.2 are susceptible; the fix was introduced in release 2.2.2 and subsequent versions.

Risk and Exploitability

The CVSS score of 5.7 indicates a medium impact, and the EPSS score of less than 1% suggests a low probability of exploitation. It is not listed in the CISA KEV catalog. Attacks require an attacker who controls or compromises a MQTT broker to publish a malformed retained packet; any vulnerable client that subscribes to that topic will instantly crash, making the exploitation path remote and straightforward for a broker operator.

Generated by OpenCVE AI on April 7, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CocoaMQTT to version 2.2.2 or newer
  • Ensure the patched library is used in all iOS, macOS, and tvOS applications
  • If an upgrade is not yet possible, delete any retained messages containing the malformed payload from your broker or block messages with the RETAIN flag
  • Monitor broker logs for anomalous retained messages and validate that the application no longer crashes on receipt of such packets

Generated by OpenCVE AI on April 7, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r3fr-7m74-q7g2 CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
CPEs cpe:2.3:a:emqx:cocoamqtt:*:*:*:*:*:swift:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx cocoamqtt
Vendors & Products Emqx
Emqx cocoamqtt

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
Title CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Apple Iphone Os Macos
Emqx Cocoamqtt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:13.357Z

Reserved: 2026-03-05T21:27:35.343Z

Link: CVE-2026-30867

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:28.407

Modified: 2026-04-07T18:04:00.657

Link: CVE-2026-30867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:28Z

Weaknesses