CVE-2026-54412 PUBLISHED

Assigner: TuranSec
Reserved: 13.06.2026 Published: 14.06.2026 Updated: 14.06.2026

LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D
CVSS Score: 7.8

A malicious MQTT broker, or a network attacker capable of injecting a single MQTT PUBLISH packet into an unencrypted session that the victim client has subscribed to, sends one crafted packet with topic_name_size = 0xFFFF and remaining_length = 7 to crash an MQTT-C-based client process and optionally disclose adjacent heap bytes through the out-of-bounds read primitive.

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	LiamBindle
Product	MQTT-C
Versions	Default: unknown affected from 0 to 1.1.6 (incl.)

Credits

Saidakbarxon Maxsudxonov finder

References

Problem Types

CWE-125 Out-of-bounds Read CWE
CWE-191 Integer Underflow (Wrap or Wraparound) CWE

Impacts

A remote attacker controlling an MQTT broker - or able to inject one PUBLISH packet into an unencrypted MQTT session a victim has subscribed to - crashes a subscribed MQTT-C client by sending a single crafted PUBLISH packet whose topic_name_size exceeds the remaining_length field. The vulnerable client advances the parse pointer into unmapped heap memory (out-of-bounds read primitive that may also disclose adjacent heap bytes), then computes application_message_size as an unsigned subtraction that underflows to a value near 2^32, and finally passes that value to memmove(), crashing the process. Any IoT or embedded device built on MQTT-C that connects to a shared, untrusted, or compromised broker is reachable for repeated, unauthenticated denial of service.