Description
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
Published: 2026-04-02
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via application crash
Action: Patch Immediately
AI Analysis

Impact

The issue resides in CocoaMQTT's packet parsing logic for MQTT 5.0. By publishing a 4‑byte malformed payload with the RETAIN flag, an attacker—either a compromised broker or malicious broker operator—forces the client to receive a corrupted packet. When the client decodes the packet, the application crashes immediately, even when running in the background. The crash effectively locks out the user until the retained message is removed from the broker, resulting in a persistent denial of service.

Affected Systems

CocoaMQTT – a Swift‑based MQTT 5.0 client for iOS, macOS, and tvOS – is affected. Versions prior to 2.2.2 from the emqx product line are vulnerable. The client applications built against these versions should be considered at risk until the library is upgraded.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. Although EPSS data is unavailable and the vulnerability is not listed in KEV, the exploit is straightforward: any entity that can publish to a broker that the client subscribes to can trigger the crash. An attacker only needs to send a malformed 4‑byte payload with the RETAIN flag set, which is executed automatically by the broker. The risk is amplified when the broker is controlled by an adversary, as the malicious message will be pushed to all subscribing clients, leading to widespread application downtime.

Generated by OpenCVE AI on April 2, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CocoaMQTT to version 2.2.2 or later
  • If upgrading is not possible, clear retained messages on the MQTT broker for topics used by vulnerable clients
  • If unable to clear retained messages, disable the RETAIN flag on outgoing messages from the broker
  • Monitor client applications for crash logs and verify patch application

Generated by OpenCVE AI on April 2, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx cocoamqtt
Vendors & Products Emqx
Emqx cocoamqtt

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
Title CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Emqx Cocoamqtt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:13.357Z

Reserved: 2026-03-05T21:27:35.343Z

Link: CVE-2026-30867

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T14:16:28.407

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-30867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:08Z

Weaknesses