CVE-2026-54412

Vulnerability

A heap-based out-of-bounds read and integer underflow vulnerability exists in the mqtt_unpack_publish_response() function in src/mqtt.c of LiamBindle MQTT-C through version 1.1.6 [3][4]. The function checks only that the fixed-header remaining_length is at least 4 bytes, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS > 0) in unsigned arithmetic, producing an integer underflow that is passed to memmove() [1][2].

Exploitation

An attacker controlling an MQTT broker, or able to inject MQTT traffic into an unencrypted session, can send a single crafted PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7. This causes the parse pointer to advance 65535 bytes past the receive buffer (out-of-bounds read) and generates an application_message_size value near 2^32 due to unsigned integer underflow; the subsequent memmove() operation then crashes the process [4].

Impact

Successful exploitation allows a remote unauthenticated attacker to crash the subscribed MQTT-C client (denial of service) and potentially disclose adjacent heap memory (information disclosure). No code execution is described in the available references, but the out-of-bounds read may leak sensitive data from the client's heap [1][2].

Mitigation

As of publication (2026-06-14), no fixed version of MQTT-C has been released. Users should monitor the GitHub repository [3] for patches and updates. Mitigations include using encrypted TLS sessions to prevent traffic injection and connecting only to trusted MQTT brokers. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.