CVE-2026-30867 is a reachable assertion vulnerability (CWE-617) found in the CocoaMQTT client library, an MQTT 5.0 client implemented in Swift for Apple platforms including iOS, macOS, and tvOS. The vulnerability exists in the packet parsing logic prior to version 2.2.2. Specifically, if an attacker or a compromised MQTT broker publishes a malformed 4-byte payload with the MQTT RETAIN flag set to true to a shared topic, the broker stores this payload persistently. When a vulnerable client connects and subscribes to this topic, the broker automatically delivers the malformed retained message. Upon receipt, the CocoaMQTT client attempts to parse the malformed packet but triggers an assertion failure, causing the client application to crash immediately, even if running in the background. This crash is persistent because the retained message remains on the broker until manually deleted, effectively causing a persistent denial-of-service (DoS) condition that 'bricks' the app. The vulnerability requires network-level access to publish to the MQTT broker or control of the broker itself. No user interaction beyond subscribing to the topic is needed, and no authentication bypass is indicated. The CVSS v3.1 score is 5.7 (medium), reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on availability but no impact on confidentiality or integrity. No known exploits are reported in the wild. The issue was publicly disclosed in April 2026 and patched in CocoaMQTT version 2.2.2.

The primary impact of CVE-2026-30867 is a persistent denial-of-service condition on client applications using vulnerable versions of CocoaMQTT. A malicious actor or compromised MQTT broker can publish a malformed retained message that causes all subscribing clients to crash immediately upon receiving the message. This can disrupt critical IoT, mobile, or desktop applications relying on MQTT messaging for real-time data or control, leading to service outages and degraded user experience. Since the retained message persists on the broker, the DoS effect continues until manual intervention removes the message, complicating recovery. Although confidentiality and integrity are not affected, the availability impact can be significant, especially in environments where MQTT is used for operational technology, smart home devices, or industrial control systems. Organizations relying on CocoaMQTT in their Apple platform applications may face operational disruptions, increased support costs, and potential reputational damage. The requirement for privileges to publish to the broker or control the broker limits exploitation to attackers with network access or insider capabilities, but the risk remains notable in shared or public MQTT environments.

To mitigate CVE-2026-30867, organizations should immediately upgrade all CocoaMQTT client implementations to version 2.2.2 or later where the vulnerability is patched. Additionally, MQTT brokers should implement strict access controls and authentication mechanisms to prevent unauthorized publishing of retained messages, especially on shared topics. Brokers should also monitor and audit retained messages for malformed or suspicious payloads and provide automated tools or scripts to identify and remove malicious retained messages promptly. Application developers can implement additional validation and error handling around MQTT packet parsing to gracefully handle malformed messages without crashing. Network segmentation and limiting MQTT broker exposure to trusted networks reduce the attack surface. Finally, educating developers and administrators about the risks of retained messages and enforcing secure MQTT configurations will help prevent exploitation.