{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-54412/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-14T17:27:35.016Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-54412","@id":"https://www.cve.org/CVERecord?id=CVE-2026-54412","description":"LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at l"},"products":[{"@id":"cpe:2.3:a:liambindle:mqtt-c:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:liambindle:mqtt-c:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-14T17:27:35.016Z"}]}