In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
| Link | Providers |
|---|---|
| https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
|
History
Mon, 18 May 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-05-18T15:07:33.460Z
Reserved: 2025-08-16T00:00:00.000Z
Link: CVE-2025-56352
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-05-18T16:16:29.130
Modified: 2026-05-18T16:16:29.130
Link: CVE-2025-56352
Redhat
No data.
OpenCVE Enrichment
No data.