What is 2026-032-AWS?

2026-032-AWS is a security advisory published by AWS Security Bulletins. CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing

Which CVE IDs does 2026-032-AWS cover?

2026-032-AWS covers the following CVE IDs: CVE-2026-8686. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

2026-032-AWS

CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing

Vendor

AWS Security Bulletins

Published

May 15, 2026

Last Modified

—

🔗 CVE IDs covered (1)

CVE-2026-8686 →

📋 Description

Bulletin ID: 2026-032-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/15/2026 11:45 AM PDT Description: coreMQTT is a lightweight MQTT client library for embedded devices. We identified CVE-2026-8686, an issue where missing bounds validation in the MQTT v5.0 SUBACK and UNSUBACK property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service (crash via heap out-of-bounds read) by sending a crafted packet. Impacted versions: v5.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)

advisoryhttps://aws.amazon.com/security/security-bulletins/rss/2026-032-aws/