Remote Crash Vulnerability in CocoaMQTT MQTT Client for iOS and macOS
CVE-2026-30867

5.7MEDIUM

Key Information:

Vendor

EMQx

Status
CocoaMQtt
Vendor
CVE Published:
2 April 2026

What is CVE-2026-30867?

CocoaMQTT, an MQTT 5.0 client library for iOS and macOS, contains a flaw in its packet parsing logic prior to version 2.2.2. This allows an attacker to exploit a malformed payload published to a shared topic with the RETAIN flag enabled, causing the application to crash upon connection to the broker. The vulnerability results in a persistent denial-of-service (DoS) condition, effectively 'bricking' the application until the retained message is manually removed from the broker database. Users are encouraged to update to version 2.2.2 or later to mitigate this risk.

Affected Version(s)

CocoaMQTT < 2.2.2

References

https://github.com/emqx/CocoaMQTT/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/emqx/CocoaMQTT/pull/659
x_refsource_MISC
https://github.com/emqx/CocoaMQTT/commit/010bca6f61b97d72...
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.