CVE-2026-54412
Received Received - Intake
Heap-based Buffer Overflow in MQTT-C Library

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-14
AI Q&A
2026-06-14
EPSS Evaluated
N/A
NVD
CVE-2026-54412
EUVD
EUVD-2026-36663
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
liambindle mqtt-c 1.1.6
liambindle mqtt-c to 1.1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54412 is a vulnerability in the LiamBindle MQTT-C library through version 1.1.6. It involves a heap-based out-of-bounds read and an integer underflow in the mqtt_unpack_publish_response() function. This function processes MQTT PUBLISH packets but fails to properly validate the size of the topic name against the remaining packet length. An attacker controlling an MQTT broker or able to inject MQTT traffic into an unencrypted session can send a specially crafted PUBLISH packet with an excessively large topic_name_size value. This causes the function to read memory beyond the allocated buffer (out-of-bounds read) and triggers an integer underflow that leads to a large, invalid memory operation. The result is a crash of the subscribed MQTT-C client and potential disclosure of adjacent heap memory.

Impact Analysis

This vulnerability can impact you by allowing a remote unauthenticated attacker to crash your MQTT-C client application, causing a denial of service. Additionally, because the vulnerability involves an out-of-bounds read, it may allow the attacker to disclose adjacent heap memory, potentially leaking sensitive information stored in memory. The attacker can exploit this by sending a single crafted PUBLISH packet to your client if they control the MQTT broker or can inject traffic into an unencrypted session.

Detection Guidance

This vulnerability can be detected by monitoring MQTT traffic for suspicious PUBLISH packets with abnormal values in the topic_name_size field, especially unusually large values such as 0xFFFF, which can trigger the heap-based out-of-bounds read and integer underflow.

Since the vulnerability involves malformed MQTT PUBLISH packets causing crashes or memory disclosure, network intrusion detection systems (NIDS) or packet inspection tools can be configured to flag MQTT PUBLISH packets where the remaining_length is at least 4 but the topic_name_size field is suspiciously large or inconsistent with the remaining_length.

On the system running the MQTT-C client, monitoring for crashes or abnormal termination of the MQTT-C client process can also indicate exploitation attempts.

Specific commands depend on your environment, but example commands to capture and inspect MQTT traffic include:

  • Using tcpdump to capture MQTT traffic on port 1883: tcpdump -i <interface> port 1883 -w mqtt_traffic.pcap
  • Using tshark to filter MQTT PUBLISH packets and inspect remaining_length and topic_name_size fields: tshark -r mqtt_traffic.pcap -Y "mqtt.msgtype == 3" -V
  • Using Wireshark to analyze the captured packets for malformed PUBLISH packets with suspicious topic_name_size values.

Additionally, enabling application-level logging on the MQTT-C client to detect crashes or memory errors can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using unencrypted MQTT sessions, as the vulnerability can be exploited by injecting MQTT traffic into unencrypted sessions.
  • Restrict and validate MQTT broker connections to trusted sources only, preventing attackers from sending crafted PUBLISH packets.
  • Monitor and filter MQTT traffic for malformed or suspicious packets, especially those with abnormal topic_name_size values.
  • Update the MQTT-C client library to a version that patches this vulnerability once available.
  • If updating is not immediately possible, consider applying temporary patches or workarounds such as input validation on the client side to verify packet lengths before processing.

These steps help reduce the risk of exploitation by limiting exposure and preventing malformed packets from reaching vulnerable code paths.

Compliance Impact

The vulnerability in LiamBindle MQTT-C allows a remote unauthenticated attacker to cause a crash and potentially disclose adjacent heap memory by sending a crafted PUBLISH packet. This memory disclosure could lead to unauthorized access to sensitive information.

Such unauthorized disclosure of memory could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

However, the provided context and resources do not explicitly discuss the direct impact of this vulnerability on compliance with these standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart