{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30867", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.343Z", "datePublished": "2026-04-02T13:57:06.394Z", "dateUpdated": "2026-04-02T16:23:13.357Z"}, "containers": {"cna": {"title": "CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2"}, {"name": "https://github.com/emqx/CocoaMQTT/pull/659", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/pull/659"}, {"name": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338"}, {"name": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2"}], "affected": [{"vendor": "emqx", "product": "CocoaMQTT", "versions": [{"version": "< 2.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:57:06.394Z"}, "descriptions": [{"lang": "en", "value": "CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively \"bricks\" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2."}], "source": {"advisory": "GHSA-r3fr-7m74-q7g2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:18:50.452760Z", "id": "CVE-2026-30867", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:13.357Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively \"bricks\" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2."}], "id": "CVE-2026-30867", "lastModified": "2026-04-02T14:16:28.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:28.407", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338"}, {"source": "security-advisories@github.com", "url": "https://github.com/emqx/CocoaMQTT/pull/659"}, {"source": "security-advisories@github.com", "url": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CocoaMQTT", "source": "cna", "vendor": "emqx"}, "product": "cocoamqtt", "vendor": "emqx"}], "analysis": {"en": {"generated_at": "2026-04-02T15:23:48.259525+00:00", "value": {"mitigation_remediation": ["Upgrade CocoaMQTT to version\u00a02.2.2 or later", "If upgrading is not possible, clear retained messages on the MQTT broker for topics used by vulnerable clients", "If unable to clear retained messages, disable the RETAIN flag on outgoing messages from the broker", "Monitor client applications for crash logs and verify patch application"], "summary": {"action": "Patch Immediately", "impact": "Denial of Service via application crash"}, "threat_synthesis": {"affected_systems": "CocoaMQTT \u2013 a Swift\u2011based MQTT\u00a05.0 client for iOS, macOS, and tvOS \u2013 is affected. Versions prior to\u00a02.2.2 from the emqx product line are vulnerable. The client applications built against these versions should be considered at risk until the library is upgraded.", "description_and_impact": "The issue resides in CocoaMQTT's packet parsing logic for MQTT\u00a05.0. By publishing a 4\u2011byte malformed payload with the RETAIN flag, an attacker\u2014either a compromised broker or malicious broker operator\u2014forces the client to receive a corrupted packet. When the client decodes the packet, the application crashes immediately, even when running in the background. The crash effectively locks out the user until the retained message is removed from the broker, resulting in a persistent denial of service.", "risk_and_exploitability": "The CVSS score of\u00a05.7 indicates moderate severity. Although EPSS data is unavailable and the vulnerability is not listed in KEV, the exploit is straightforward: any entity that can publish to a broker that the client subscribes to can trigger the crash. An attacker only needs to send a malformed 4\u2011byte payload with the RETAIN flag set, which is executed automatically by the broker. The risk is amplified when the broker is controlled by an adversary, as the malicious message will be pushed to all subscribing clients, leading to widespread application downtime."}}}}, "created": "2026-04-02T20:12:27.706502+00:00", "updated": "2026-04-02T20:21:08.531439+00:00", "vendors": ["emqx", "emqx$PRODUCT$cocoamqtt"]}