Primary

Context

coreMQTT Heap Out-of-Bounds Read Vulnerability in MQTT v5.0 Property Parsing

Vulnerability

A heap out-of-bounds read vulnerability has been identified in coreMQTT, a lightweight MQTT client library for embedded devices. This issue is present in coreMQTT versions 5.0.0 prior to 5.0.1. The vulnerability arises from missing bounds validation in the MQTT v5.0 SUBACK and UNSUBACK property parser. An MQTT broker can exploit this flaw by sending a crafted packet, leading to a denial-of-service condition by causing a crash through out-of-bounds memory access.

Impact

Exploitation of this vulnerability results in a denial-of-service condition, causing a crash by accessing memory outside the allocated bounds, and could potentially allow for information disclosure by reading adjacent heap memory.

Remediation

Users are advised to upgrade to coreMQTT version 5.0.1 or later. For those using forked or derivative code, ensure that it is patched to incorporate the latest fixes.

Added: May 15, 2026, 7:25 PM

Updated: May 15, 2026, 7:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

coreMQTT Heap Out-of-Bounds Read Vulnerability in MQTT v5.0 Property Parsing

Vulnerability

Impact

Remediation

Affected Products

Amazon Web Services coreMQTT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating