CVE-2019-17210
Description
A denial-of-service issue was discovered in the MQTT library in Arm Mbed OS 2017-11-02. The function readMQTTLenString() is called by the function MQTTDeserialize_publish() to get the length and content of the MQTT topic name. In the function readMQTTLenString(), mqttstring->lenstring.len is a part of user input, which can be manipulated. An attacker can simply change it to a larger value to invalidate the if statement so that the statements inside the if statement are skipped, letting the value of mqttstring->lenstring.data default to zero. Later, curn is accessed, which points to mqttstring->lenstring.data. On an Arm Cortex-M chip, the value at address 0x0 is actually the initialization value for the MSP register. It is highly dependent on the actual firmware. Therefore, the behavior of the program is unpredictable from this time on.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MQTT packet causes a null pointer dereference in Arm Mbed OS's MQTT library, leading to denial of service.
Vulnerability
The MQTT library in Arm Mbed OS (2017-11-02) contains a denial-of-service vulnerability in readMQTTLenString(), called by MQTTDeserialize_publish(). The function fails to validate mqttstring->lenstring.len from user input. Setting it to a value larger than the remaining packet data causes the length check to fail, skipping assignment of mqttstring->lenstring.data, leaving it as a null pointer [1].
Exploitation
An unauthenticated attacker on the network can send a malicious MQTT PUBLISH packet with a crafted topic length field. The oversized length causes the code path to skip pointer initialization, resulting in a null pointer dereference when isTopicMatched() later accesses the data [1]. No authentication or user interaction is required.
Impact
Successful exploitation leads to a null pointer dereference. On ARM Cortex-M chips, address 0x0 holds the MSP (Main Stack Pointer) initialization value, making behavior unpredictable. This typically causes a hard fault, resulting in denial of service [1].
Mitigation
The issue was reported via GitHub in project ARMmbed/mbed-os #11802. Users should upgrade to a patched version of Mbed OS if available. As of the publication date (2019-11-04), no official patch release was announced. Workarounds include input validation or disabling MQTT functionality if not required [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Arm/Mbed OSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/ARMmbed/mbed-os/issues/11802mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.