GHSA-R3FR-7M74-Q7G2
Vulnerability from github – Published: 2026-04-03 21:33 – Updated: 2026-04-03 21:33A vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application.
The vulnerability is located in Source/FramePublish.swift during the extraction of the Topic string from the incoming byte array.
When parsing the Variable Header of a PUBLISH frame, the library reads the first two bytes to determine the topicLength. It then adds this length to the current position (pos) and attempts to slice the byte array to extract the string:
if let data = NSString(bytes: [UInt8](bytes[2...(pos-1)]), length: Int(len), encoding: String.Encoding.utf8.rawValue) {
topic = data as String
}
If a packet is received where the Topic Length evaluates to 0 (e.g., 0x00 0x00), the len variable becomes 0, and pos evaluates to 2.
The slicing logic dynamically calculates bytes[2...(2-1)], which becomes bytes[2...1]. Swift's ClosedRange operator (...) requires the lower bound to be less than or equal to the upper bound. Because 2 is not less than 1, Swift detects an out-of-bounds access attempt and immediately triggers a runtime trap (Fatal error: Range requires lowerBound <= upperBound), crashing the host application.
If an attacker publishes this 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database.
{
"affected": [
{
"package": {
"ecosystem": "SwiftURL",
"name": "CocoaMQTT"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30867"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T21:33:58Z",
"nvd_published_at": "2026-04-02T14:16:28Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application.\n\nThe vulnerability is located in `Source/FramePublish.swift` during the extraction of the Topic string from the incoming byte array.\n\nWhen parsing the Variable Header of a `PUBLISH` frame, the library reads the first two bytes to determine the `topicLength`. It then adds this length to the current position (`pos`) and attempts to slice the byte array to extract the string:\n\n```swift\nif let data = NSString(bytes: [UInt8](bytes[2...(pos-1)]), length: Int(len), encoding: String.Encoding.utf8.rawValue) {\n topic = data as String\n}\n```\n\nIf a packet is received where the Topic Length evaluates to `0` (e.g., `0x00 0x00`), the `len` variable becomes `0`, and `pos` evaluates to `2`.\n\nThe slicing logic dynamically calculates `bytes[2...(2-1)]`, which becomes **`bytes[2...1]`**. Swift\u0027s `ClosedRange` operator (`...`) requires the lower bound to be less than or equal to the upper bound. Because 2 is not less than 1, Swift detects an out-of-bounds access attempt and immediately triggers a runtime trap (`Fatal error: Range requires lowerBound \u003c= upperBound`), crashing the host application.\n\nIf an attacker publishes this 4-byte malformed payload to a shared topic with the `RETAIN` flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively \"bricks\" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database.",
"id": "GHSA-r3fr-7m74-q7g2",
"modified": "2026-04-03T21:33:58Z",
"published": "2026-04-03T21:33:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30867"
},
{
"type": "WEB",
"url": "https://github.com/emqx/CocoaMQTT/pull/659"
},
{
"type": "WEB",
"url": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338"
},
{
"type": "PACKAGE",
"url": "https://github.com/emqx/CocoaMQTT"
},
{
"type": "WEB",
"url": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.