{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30867", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.343Z", "datePublished": "2026-04-02T13:57:06.394Z", "dateUpdated": "2026-04-02T16:23:13.357Z"}, "containers": {"cna": {"title": "CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2"}, {"name": "https://github.com/emqx/CocoaMQTT/pull/659", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/pull/659"}, {"name": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338"}, {"name": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2"}], "affected": [{"vendor": "emqx", "product": "CocoaMQTT", "versions": [{"version": "< 2.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:57:06.394Z"}, "descriptions": [{"lang": "en", "value": "CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively \"bricks\" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2."}], "source": {"advisory": "GHSA-r3fr-7m74-q7g2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:18:50.452760Z", "id": "CVE-2026-30867", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:13.357Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emqx:cocoamqtt:*:*:*:*:*:swift:*:*", "matchCriteriaId": "CB8EC6A7-A8BA-4184-8097-74086252F0BF", "versionEndExcluding": "2.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively \"bricks\" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2."}], "id": "CVE-2026-30867", "lastModified": "2026-04-07T18:04:00.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T14:16:28.407", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d726252f61641d331a2bf82b338"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/emqx/CocoaMQTT/pull/659"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emqx/CocoaMQTT/security/advisories/GHSA-r3fr-7m74-q7g2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CocoaMQTT", "source": "cna", "vendor": "emqx"}, "product": "cocoamqtt", "vendor": "emqx"}], "analysis": {"en": {"generated_at": "2026-04-07T23:05:09.686548+00:00", "value": {"mitigation_remediation": ["Upgrade CocoaMQTT to version 2.2.2 or newer", "Ensure the patched library is used in all iOS, macOS, and tvOS applications", "If an upgrade is not yet possible, delete any retained messages containing the malformed payload from your broker or block messages with the RETAIN flag", "Monitor broker logs for anomalous retained messages and validate that the application no longer crashes on receipt of such packets"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service through remote client crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CocoaMQTT Swift MQTT client library used in iOS, macOS, and tvOS applications. Versions prior to 2.2.2 are susceptible; the fix was introduced in release 2.2.2 and subsequent versions.", "description_and_impact": "CocoaMQTT contains a flaw in its packet parsing logic that triggers a reachable assertion when a 4\u2011byte malformed payload is received on a topic marked with the RETAIN flag. The assertion causes the client application to crash in the background, resulting in a persistent denial of service that prevents the user from interacting with the app until the malformed message is removed from the broker. This weakness is classified as CWE\u2011617, an Improper Handling of Assertion issue.", "risk_and_exploitability": "The CVSS score of 5.7 indicates a medium impact, and the EPSS score of less than 1% suggests a low probability of exploitation. It is not listed in the CISA KEV catalog. Attacks require an attacker who controls or compromises a MQTT broker to publish a malformed retained packet; any vulnerable client that subscribes to that topic will instantly crash, making the exploitation path remote and straightforward for a broker operator."}}}}, "created": "2026-04-02T20:12:27.706502+00:00", "updated": "2026-04-08T19:56:28.181832+00:00", "vendors": ["emqx", "emqx$PRODUCT$cocoamqtt"]}