CVE-2026-30867: CWE-617: Reachable Assertion in emqx CocoaMQTT
CVE-2026-30867 is a reachable assertion vulnerability in the CocoaMQTT client library for iOS and macOS prior to version 2. 2. 2. The flaw exists in the packet parsing logic, where a 4-byte malformed payload with the RETAIN flag set can be published to a shared topic on an MQTT broker. When a vulnerable client subscribes to this topic, the broker pushes the malformed packet, causing the client application to crash immediately in the background. This results in a persistent denial-of-service condition until the retained message is removed from the broker. The issue has been patched in CocoaMQTT version 2. 2. 2.
AI Analysis
Technical Summary
CVE-2026-30867 affects CocoaMQTT versions before 2.2.2 and involves a reachable assertion failure triggered by a malformed 4-byte payload with the RETAIN flag set in MQTT packet parsing. A malicious or compromised MQTT broker can persist this payload, causing any subscribing vulnerable client to crash instantly upon receiving the retained message. This leads to a persistent denial-of-service on iOS/macOS/tvOS applications using CocoaMQTT until the retained message is manually deleted from the broker. The vulnerability is addressed by updating to version 2.2.2.
Potential Impact
The vulnerability causes a persistent denial-of-service (DoS) by crashing the client application immediately upon receiving a malformed retained MQTT message. There is no impact on confidentiality or integrity, but availability is severely affected as the app becomes unusable until the retained message is cleared from the broker. No known exploits are reported in the wild.
Mitigation Recommendations
This issue has been fixed in CocoaMQTT version 2.2.2. Users should upgrade to version 2.2.2 or later to remediate the vulnerability. Additionally, removing any retained malformed messages from the MQTT broker will restore functionality for affected clients. No other mitigation is required.
CVE-2026-30867: CWE-617: Reachable Assertion in emqx CocoaMQTT
Description
CVE-2026-30867 is a reachable assertion vulnerability in the CocoaMQTT client library for iOS and macOS prior to version 2. 2. 2. The flaw exists in the packet parsing logic, where a 4-byte malformed payload with the RETAIN flag set can be published to a shared topic on an MQTT broker. When a vulnerable client subscribes to this topic, the broker pushes the malformed packet, causing the client application to crash immediately in the background. This results in a persistent denial-of-service condition until the retained message is removed from the broker. The issue has been patched in CocoaMQTT version 2. 2. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-30867 affects CocoaMQTT versions before 2.2.2 and involves a reachable assertion failure triggered by a malformed 4-byte payload with the RETAIN flag set in MQTT packet parsing. A malicious or compromised MQTT broker can persist this payload, causing any subscribing vulnerable client to crash instantly upon receiving the retained message. This leads to a persistent denial-of-service on iOS/macOS/tvOS applications using CocoaMQTT until the retained message is manually deleted from the broker. The vulnerability is addressed by updating to version 2.2.2.
Potential Impact
The vulnerability causes a persistent denial-of-service (DoS) by crashing the client application immediately upon receiving a malformed retained MQTT message. There is no impact on confidentiality or integrity, but availability is severely affected as the app becomes unusable until the retained message is cleared from the broker. No known exploits are reported in the wild.
Mitigation Recommendations
This issue has been fixed in CocoaMQTT version 2.2.2. Users should upgrade to version 2.2.2 or later to remediate the vulnerability. Additionally, removing any retained malformed messages from the MQTT broker will restore functionality for affected clients. No other mitigation is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-05T21:27:35.343Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce7bd9e6bfc5ba1ddfe6cc
Added to database: 4/2/2026, 2:23:21 PM
Last enriched: 4/10/2026, 12:00:59 AM
Last updated: 5/20/2026, 9:42:22 PM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.