PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-56352 JustDoIt0910 CVE debrief

CVE-2025-56352 describes a denial-of-service condition in tinyMQTT CONNECT packet handling. According to the NVD record, a malformed CONNECT with an empty Client ID and CleanSession set to 0 receives a rejection response, but the TCP connection is not explicitly closed, allowing repeated invalid attempts to accumulate open sockets and exhaust broker resources.

Vendor
JustDoIt0910
Product
tinyMQTT
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-18
Advisory published
2026-05-18
Advisory updated
2026-05-18

Who should care

Operators and developers running tinyMQTT brokers, especially any internet-facing MQTT deployments or embedded environments with limited file descriptors and memory.

Technical summary

The supplied CVE description says tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 mishandles a protocol violation during CONNECT parsing. When the broker sees a zero-length Client ID with CleanSession set to 0, it returns CONNACK 0x02 (Identifier Rejected) but does not reliably close the TCP connection. Because the surrounding teardown path is not guaranteed to run, each invalid attempt can leave a socket open, creating resource exhaustion risk. NVD maps the issue to CWE-400 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 HIGH).

Defensive priority

High. This is a network-reachable availability issue that can be triggered with repeated malformed CONNECT attempts and may be especially impactful on small or heavily used brokers.

Recommended defensive actions

  • Identify whether any deployed broker builds include the affected tinyMQTT commit lineage referenced in the CVE description.
  • Review CONNECT error-handling paths to ensure rejected sessions always trigger explicit connection teardown.
  • Add monitoring for abnormal growth in open sockets, file descriptors, and broker memory usage.
  • Rate-limit or otherwise constrain repeated invalid connection attempts at the network or application layer.
  • Test broker behavior with malformed MQTT CONNECT traffic in a controlled environment and confirm the connection is closed after rejection.
  • Track upstream advisories and patches for tinyMQTT before exposing affected brokers to untrusted networks.

Evidence notes

The source corpus includes the NVD CVE record, the CVE.org record, a GitHub issue reference, and a linked PoC text attachment. The NVD metadata marks the vulnerability status as Deferred and lists CWE-400 with CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The description specifically attributes the flaw to tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 and a CONNECT parsing edge case involving an empty Client ID with CleanSession set to 0. No exploit details are reproduced here.

Official resources

Publicly disclosed in the CVE/NVD records on 2026-05-18. The supplied NVD metadata shows the entry as Deferred and includes references to a GitHub issue and a PoC attachment.