MQTT-C Heap Buffer Read and Integer Underflow Flaw

LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and re

Casky was already ahead

This CVE exploits attack patterns that Casky's 255matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

LiamBindle MQTT-C versions through 1.1.6 contain a critical heap-based out-of-bounds read vulnerability combined with integer underflow in the mqtt_unpack_publish_response() function. An unauthenticated remote attacker who controls an MQTT broker or can inject traffic into unencrypted MQTT sessions can exploit this flaw by sending a specially crafted PUBLISH packet. The vulnerability allows attackers to crash subscribed MQTT-C clients (denial of service) and potentially leak sensitive data from adjacent heap memory. This affects any application using MQTT-C as a library for IoT, messaging, or telemetry operations, making it particularly dangerous in environments where MQTT brokers are exposed to untrusted networks or where TLS encryption is not enforced.

Casky's 255 mapped security skills, powered by Claude's extended reasoning capabilities, detect attack patterns associated with this vulnerability across MITRE ATT&CK techniques TA0002 (Execution) and TA0003 (Persistence). Practitioners using Casky would observe findings aligned with network-based reconnaissance and exploitation detection: anomalous MQTT protocol packet structures that trigger bounds-checking failures, memory access violations following broker-to-client communication, and crash dumps correlating with specific PUBLISH response packet formats. The platform's CWE-125 (Out-of-bounds Read) and CWE-191 (Integer Underflow) skill mappings enable detection of malformed packet headers where remaining_length validation is bypassed, allowing practitioners to identify exploitation attempts in real-time traffic analysis and identify vulnerable MQTT-C instances in their infrastructure before successful compromise.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

255 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-54412.

acquiring-disk-image-with-dd-and-dcfldd

digital forensics · low

Run

analyzing-android-malware-with-apktool

malware analysis · medium

Run

analyzing-bootkit-and-rootkit-samples

malware analysis · medium

Run

MITRE ATT&CK Techniques

TA0002 TA0003

Investigate the attack patterns behind CVE-2026-54412

Casky has 255 skills that investigate the attack patterns behind CVE-2026-54412. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn