CVE-2026-8686 FreeRTOS CVE debrief

Who should care

Organizations deploying FreeRTOS coreMQTT 5.0.0 in IoT and embedded systems, particularly those connecting to external or untrusted MQTT brokers. Development teams building MQTT-based applications on constrained devices using the FreeRTOS ecosystem.

Technical summary

The vulnerability exists in the MQTT v5.0 property parser implementation within FreeRTOS coreMQTT 5.0.0. Insufficient bounds validation when processing incoming MQTT packets allows a malicious or compromised MQTT broker to send crafted packets that trigger an out-of-bounds read condition. This results in denial of service for the MQTT client application. The attack vector is network-based, requires no authentication, and can be exploited without user interaction. The vulnerability does not affect confidentiality or integrity but has high impact on availability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FreeRTOS coreMQTT to version 5.0.1 or later
• Review MQTT broker connections for unexpected traffic patterns
• Monitor for denial-of-service indicators in MQTT client applications
• Validate MQTT packet handling in embedded deployments using coreMQTT

Evidence notes

CVE published 2026-05-15; modified 2026-05-19. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. Affected product: FreeRTOS coreMQTT 5.0.0. CWE-125 identified as weakness type.

Official resources