CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
Bulletin ID: 2026-032-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/15/2026 11:45 AM PDT
Description:
coreMQTT is a lightweight MQTT client library for embedded devices. We identified CVE-2026-8686, an issue where missing bounds validation in the MQTT v5.0 SUBACK and UNSUBACK property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service (crash via heap out-of-bounds read) by sending a crafted packet.
Impacted versions: v5.0.0
Resolution:
This issue has been addressed in coreMQTT version 5.0.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
There are no workarounds for this issue. Customers should upgrade to the fixed version.
References:
Acknowledgement:
We would like to thank Epsilon for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.