Description
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
Published: 2026-06-14
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MQTT-C versions up to 1.1.6 contain a heap‑based out‑of‑bounds read and integer underflow in the mqtt_unpack_publish_response() routine. The function reads only the remaining_length field of a PUBLISH packet, then reads an unsigned topic_name_size value and advances the parsing pointer by that amount without verifying that the total size fits within the buffer. The subsequent unsigned arithmetic computing the application message size can underflow, producing a very large count that is passed to memmove(). A crafted packet containing a topic_name_size of 0xFFFF and a remaining_length of 7 causes the parser to read far beyond the received data and triggers a crash, giving the attacker a chance to read adjacent heap data. The impact is a denial‑of‑service crash and potential disclosure of memory contents in a subscribed client.

Affected Systems

Vendors: LiamBindle. Product: MQTT‑C. Affected versions: 1.1.6 and earlier.

Risk and Exploitability

CVSS score 7.8 indicates high severity. The EPSS score is unavailable, but the vulnerability can be trivially exercised by sending a single malformed PUBLISH packet from a compromised or malicious broker, or by injecting traffic into an unencrypted MQTT session. Because the flaw is remote and does not require authentication, any subscriber to the broker could be affected. The vulnerability is not yet listed in CISA’s KEV catalog, but the nature of the bug suggests that exploitation would be straightforward and could be automated by a broker administrator or attacker with network visibility.

Generated by OpenCVE AI on June 14, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MQTT‑C to version 1.1.7 or later, which contains a fixed bounds check in mqtt_unpack_publish_response().
  • If an upgrade is not immediately possible, restrict the broker to only accept TLS‑encrypted connections to prevent unauthenticated injection of malformed packets.
  • Enable broker‑side packet validation or filtering to reject PUBLISH packets whose topic_name_size does not fit within the remaining_length, and monitor the client logs for out‑of‑bounds read attempts.

Generated by OpenCVE AI on June 14, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-14T17:27:35.016Z

Reserved: 2026-06-13T16:39:46.122Z

Link: CVE-2026-54412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T18:17:20.750

Modified: 2026-06-14T18:17:20.750

Link: CVE-2026-54412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T19:30:14Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-191

    Integer Underflow (Wrap or Wraparound)