CVE-2026-13491 78 CVE debrief

Who should care

Defenders of 78 xiaozhi-esp32 up to 2.2.6 should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability allows for denial of service, which can have significant impacts on system availability. Due to the high complexity and difficult exploitability, defenders should prioritize patching and monitoring.

Technical summary

The vulnerability affects the MQTT Goodbye Handler in 78 xiaozhi-esp32 up to 2.2.6. The function Application::GetInstance in the file main/protocols/mqtt_protocol.cc is vulnerable to manipulation of the argument session_id, leading to denial of service. The attack can be carried out remotely, but the complexity is high and exploitability is difficult. A patch named e182471f8c5a22434346bd98da34d3b66c8c8b3e is available to fix this issue.

Defensive priority

Apply the patch e182471f8c5a22434346bd98da34d3b66c8c8b3e to fix the vulnerability. Monitor system logs for potential exploitation attempts.

Recommended defensive actions

• Apply the patch e182471f8c5a22434346bd98da34d3b66c8c8b3e to the affected system.
• Monitor system logs for potential exploitation attempts.
• Verify that the patch has been successfully applied and test the system.
• Consider implementing additional security measures to detect and prevent similar attacks.
• Review system configurations and ensure that they align with security best practices.

Evidence notes

The vulnerability was detected in 78 xiaozhi-esp32 up to 2.2.6. The exploit is now public and may be used. The complexity of an attack is rather high, and it is stated that the exploitability is difficult. The patch e182471f8c5a22434346bd98da34d3b66c8c8b3e is available to fix this issue.

Official resources