CVE-2026-54412: MQTT-C Heap-Based Out-of-Bounds Read and Integer Underflow Vulnerability (CVSS 8.2)

nick

CVE-2026-54412: MQTT-C Heap-Based Out-of-Bounds Read and Integer Underflow Vulnerability (CVSS 8.2)

by

CVE-2026-54412: MQTT-C Heap-Based Out-of-Bounds Read (CVSS 8.2 HIGH)

Published: June 2026 | CVSS: 8.2 HIGH | Severity: High

Summary

CVE-2026-54412 is a heap-based out-of-bounds (OOB) read vulnerability in MQTT-C, a lightweight C library implementing the MQTT protocol widely used in IoT and IIoT messaging. The flaw resides in the mqtt_unpack_publish_response() function in mqtt.c, where an integer underflow leads to reading beyond the bounds of a heap-allocated buffer. A remote attacker can exploit this by sending a crafted MQTT PUBLISH packet to a vulnerable client or broker, potentially leaking sensitive heap memory contents.

Affected Software

  • MQTT-C — all versions through 1.1.6
  • Any IoT/IIoT device, gateway, or application embedding a vulnerable MQTT-C build

Technical Details

The vulnerability stems from an integer underflow in mqtt_unpack_publish_response(), the function responsible for decoding incoming MQTT PUBLISH packets. When processing a malformed or truncated PUBLISH message, the arithmetic used to calculate remaining payload lengths can wrap, resulting in the function attempting to read data well beyond the actual heap buffer’s valid range. This out-of-bounds read can expose adjacent heap memory to the attacker.

The issue is particularly dangerous because MQTT—Message Queuing Telemetry Transport—is the de facto messaging protocol for constrained IoT devices, industrial control systems (ICS), and smart infrastructure. A compromised client handling sensitive data (credentials, telemetry, sensor readings) could leak that data through a single malicious PUBLISH packet.

Impact

  • Confidentiality: HIGH — heap memory disclosure, potentially exposing credentials, session tokens, or encryption keys
  • Integrity: NONE — no write primitive
  • Availability: LOW — crash is possible but not the primary risk
  • Exploitability: Network-accessible, no authentication required, low attack complexity

Mitigation & Remediation

  1. Update: Upgrade to MQTT-C version 1.1.7 or later once the patch is released. Monitor the MQTT-C GitHub repository for the official fix.
  2. Input Validation: Implement strict bounds checking on MQTT packet lengths before passing them to mqtt_unpack_publish_response().
  3. Network Segmentation: Isolate MQTT brokers and clients on dedicated VLANs with access controls to limit exposure.
  4. TLS: Always use MQTT over TLS to prevent packet injection by man-in-the-middle attackers.

References

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!