CVE-2026-8686: DoS from MQTT v5.0 Deserialization Fault in core MQTT
Published May 15, 2026
·Updated
Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users should upgrade to v5.0.1.
Affected Software
2 affected components
Amazon coreMQTT<5.0.1
Freertos Coremqtt=5.0.0
Event History
May 15, 2026
CVE Published
via MITRE·06:38 PM
Data Sourced
via MITRE·06:38 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:17 PM
DescriptionSeverityWeaknessAffected Software
Apr 22, 58353
Event
via FIRST·04:18 AM
Frequently Asked Questions
1
What is the severity of CVE-2026-8686?
CVE-2026-8686 is categorized as a denial of service vulnerability in the MQTT v5.0 property parser.
2
How do I fix CVE-2026-8686?
To remediate CVE-2026-8686, users should upgrade coreMQTT to version 5.0.1 or later.
3
What causes the vulnerability CVE-2026-8686?
CVE-2026-8686 is caused by missing bounds validation in the MQTT v5.0 property parser.
4
Which software is affected by CVE-2026-8686?
CVE-2026-8686 affects Amazon coreMQTT versions prior to 5.0.1.
5
What kind of attack can CVE-2026-8686 lead to?
CVE-2026-8686 can lead to a denial of service attack if an MQTT broker receives a crafted packet.