CVE-2026-54412: CWE-125 Out-of-bounds Read in LiamBindle MQTT-C
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
AI Analysis
Technical Summary
CVE-2026-54412 is a heap-based out-of-bounds read and integer underflow vulnerability in LiamBindle MQTT-C through version 1.1.6. The mqtt_unpack_publish_response() function improperly validates the fixed-header remaining_length and the 16-bit topic_name_size field from broker-controlled packets. It advances the parse pointer by topic_name_size without ensuring the sum fits within remaining_length, then calculates application_message_size using unsigned arithmetic that can underflow. This leads to an out-of-bounds read and a memmove call with a very large size, causing a crash and potential disclosure of adjacent heap memory. Exploitation requires control of the MQTT broker or the ability to inject MQTT traffic into an unencrypted session.
Potential Impact
A remote unauthenticated attacker who controls the MQTT broker or can inject MQTT traffic into an unencrypted session can crash the subscribed MQTT-C client and potentially disclose adjacent heap memory. This can lead to denial of service and information disclosure. The vulnerability does not require authentication and affects confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, avoid using MQTT-C in unencrypted sessions or with untrusted MQTT brokers to reduce exposure. Monitor for updates from LiamBindle regarding a fix for this vulnerability.
CVE-2026-54412: CWE-125 Out-of-bounds Read in LiamBindle MQTT-C
Description
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
CVSS v4.0
Score 7.8high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54412 is a heap-based out-of-bounds read and integer underflow vulnerability in LiamBindle MQTT-C through version 1.1.6. The mqtt_unpack_publish_response() function improperly validates the fixed-header remaining_length and the 16-bit topic_name_size field from broker-controlled packets. It advances the parse pointer by topic_name_size without ensuring the sum fits within remaining_length, then calculates application_message_size using unsigned arithmetic that can underflow. This leads to an out-of-bounds read and a memmove call with a very large size, causing a crash and potential disclosure of adjacent heap memory. Exploitation requires control of the MQTT broker or the ability to inject MQTT traffic into an unencrypted session.
Potential Impact
A remote unauthenticated attacker who controls the MQTT broker or can inject MQTT traffic into an unencrypted session can crash the subscribed MQTT-C client and potentially disclose adjacent heap memory. This can lead to denial of service and information disclosure. The vulnerability does not require authentication and affects confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, avoid using MQTT-C in unencrypted sessions or with untrusted MQTT brokers to reduce exposure. Monitor for updates from LiamBindle regarding a fix for this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TuranSec
- Date Reserved
- 2026-06-13T16:39:46.122Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2eee6be617e2d834ca6d33
Added to database: 6/14/2026, 6:09:47 PM
Last enriched: 6/14/2026, 6:24:27 PM
Last updated: 6/14/2026, 8:56:41 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.