Description
Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet.



To remediate this issue, users should upgrade to v5.0.1.
Published: 2026-05-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing bounds validation in the MQTT v5.0 property parser of FreeRTOS coreMQTT allows an MQTT broker to send a crafted packet that overflows internal buffers and crashes or restarts the client. The flaw is a classic out‑of‑bounds read/write (CWE‑125) and results in a loss of availability of the affected device.

Affected Systems

All FreeRTOS coreMQTT installations earlier than version 5.0.1, including the 5.0.0 release, are susceptible. Devices that use these versions with a broker that supports MQTT v5.0 will be impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. No EPSS score is reported, and the issue is not listed in the CISA KEV catalog, but the attacker only needs to control a broker interface to send a malicious packet. Because the weakness resides in the client library, the supplier’s recommended remediation is to upgrade to the fixed 5.0.1 release.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the coreMQTT client library to version 5.0.1 or later.
  • Confirm that the updated firmware or application rebuilds with the patched library.
  • Monitor MQTT traffic during the transition for anomalous property packets and log any suspicious activity.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users should upgrade to v5.0.1.
Title DoS from MQTT v5.0 Deserialization Fault in core MQTT
First Time appeared Freertos
Freertos coremqtt
Weaknesses CWE-125
CPEs cpe:2.3:a:freertos:coremqtt:5.0.0:*:*:*:*:*:*:*
Vendors & Products Freertos
Freertos coremqtt
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freertos Coremqtt
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-15T20:22:58.148Z

Reserved: 2026-05-15T14:25:50.894Z

Link: CVE-2026-8686

cve-icon Vulnrichment

Updated: 2026-05-15T20:22:54.887Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:05.057

Modified: 2026-05-15T19:17:05.057

Link: CVE-2026-8686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses