Login Sign Up

CVE-2021-41036

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2021-41036 is a critical buffer overflow vulnerability in the Eclipse Paho MQTT C Client library where the client fails to properly validate the rem_len field size in network packets. This allows remote attackers to execute arbitrary code or cause denial of service on affected systems. Any application using the vulnerable MQTT client library is affected.

💻 Affected Systems

Products:
  • Eclipse Paho MQTT C Client
  • Any software embedding the Paho MQTT C library
Versions: All versions prior to 1.1
Operating Systems: All platforms using the C client (Linux, Windows, embedded systems)
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the core packet parsing logic, so all configurations using the library are vulnerable.

📦 What is this software?

Paho Mqtt C\/c\+\+ Client by Eclipse

View all CVEs affecting Paho Mqtt C\/c\+\+ Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through client crashes or system instability.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - MQTT clients often connect to external brokers, making them directly accessible.
🏢 Internal Only: MEDIUM - Internal MQTT deployments could still be exploited by compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in packet parsing, requiring no authentication. Public GitHub issues demonstrate the flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1

Vendor Advisory: https://github.com/eclipse/paho.mqtt.embedded-c/issues/96

Restart Required: Yes

Instructions:

1. Update to Paho MQTT C Client version 1.1 or later. 2. Recompile any applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MQTT clients to trusted networks only

Broker Validation

all

Configure MQTT brokers to validate and reject malformed packets

🧯 If You Can't Patch

  • Implement strict network access controls to limit MQTT traffic to trusted sources only
  • Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if application links against Paho MQTT C library version <1.1 using ldd or dependency checking tools

Check Version:

Check library headers or version strings in compiled binaries

Verify Fix Applied:

Verify library version is 1.1+ and recompile applications with updated library

📡 Detection & Monitoring

Log Indicators:

  • Unexpected client disconnections
  • Memory access violation errors
  • Abnormal packet size logs

Network Indicators:

  • Malformed MQTT packets with abnormal rem_len values
  • Traffic patterns suggesting buffer overflow attempts

SIEM Query:

Search for MQTT protocol anomalies or memory violation events related to MQTT clients

📊 Metadata

CVE ID: CVE-2021-41036
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: November 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41036, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)