CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-8686

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-032-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/15/2026 11:45 AM PDT Description: coreMQTT is a lightweight MQTT client library for embedded devices. We identified CVE-2026-8686, an issue where missing bounds validation in the MQTT v5.0 SUBACK and UNSUBACK property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service (crash via heap out-of-bounds read) by sending a crafted packet. Impacted versions: v5.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Missing bounds validation allows denial of service via crafted MQTT packets.
Who is affected
Users of coreMQTT version 5.0.0.
Urgency
Remediation is urgent due to the potential for service crashes.
Action
Upgrade to version 5.0.1 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-8686

Get an email if CVE-2026-8686 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-8686

CVE.org record

Embed the live status

CVE-2026-8686 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-8686 status](https://www.csirts.com/badge/CVE-2026-8686)](https://www.csirts.com/cve/CVE-2026-8686)