CVE-2026-54412: LiamBindle MQTT-C through version 1
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
Metrics
- CVSS v4.0
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap-based out-of-bounds read and integer underflow affects LiamBindle MQTT-C through version 1.1.6, specifically in the mqtt_unpack_publish_response() function that parses incoming PUBLISH packets. The vulnerability is reachable over the network with no authentication required, by an attacker who controls or can inject traffic into an MQTT broker session the client subscribes to. Successful exploitation crashes the MQTT-C client process and may expose adjacent heap memory contents. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix version is released.
HarborGuard Coverage
Detection of CVE-2026-54412 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the MQTT-C library directly. Any image containing the affected LiamBindle MQTT-C at version 1.1.6 or earlier is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableTriage is available using the CVSS v4.0 score of 7.8 (HIGH), with per-environment compliance policy weighting applied to prioritize findings against each customer's defined risk thresholds. Routed findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the upstream maintainer. In the interim, customers can apply compensating controls through HarborGuard's policy engine, including network-policy isolation for affected workloads and flagging of images for manual review.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the client over the network, either by operating a malicious MQTT broker the client connects to, or by injecting crafted PUBLISH packets into an unencrypted MQTT session in transit.
- AuthenticationNot required
No credentials or account are needed; the attacker exploits the parsing flaw by sending a single crafted PUBLISH packet before any authentication check on the client side.
- Victim interactionNot required
No user action is required; the vulnerable parsing code executes automatically when the MQTT-C client receives the crafted PUBLISH packet from the broker.
- Attack complexityDetail
Attack complexity is low; the exploit requires sending a single malformed packet with specific field values and does not depend on race conditions, memory layout randomization, or other environmental factors.
Blast Radius
- Crashes the MQTT-C client process by triggering a memmove() call with an application_message_size value near 2^32, causing an immediate denial of service for any service or device relying on that client connection.
- Reads up to 65535 bytes past the end of the receive buffer on the heap, exposing adjacent heap memory that may contain sensitive runtime data such as credentials, session tokens, or message payloads from other MQTT topics.
- Any workload or IoT device running an affected MQTT-C client loses its broker connection and requires a restart, disrupting telemetry pipelines, command delivery, or other real-time messaging flows that depend on the subscription.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix version exists for CVE-2026-54412 at this time, HarborGuard continuously re-checks the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment the upstream maintainer publishes a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. In the interim, HarborGuard's policy engine can be used to apply compensating controls: network-policy isolation to restrict which endpoints affected containers may connect to as MQTT clients, egress filtering to limit broker connectivity to known-trusted hosts only, and mandatory-review gates in CI/CD pipelines to block deployment of images containing MQTT-C 1.1.6 or earlier until a patch is available. All affected images are surfaced in the HarborGuard findings dashboard with the full CVSS v4.0 context so teams can prioritize based on whether the image is deployed in an environment where MQTT traffic is untrusted or unencrypted.
- LiamBindle / MQTT-C≤ 1.1.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D