Description
## Summary
An unsigned integer underflow exists in libcurl's MQTT publish path.
Due to incorrect arithmetic ordering in the size validation logic,
oversized MQTT PUBLISH messages are not rejected as intended.
## Affected version
libcurl 8.18.0
Tested on macOS (arm64) with AddressSanitizer enabled.
## Steps To Reproduce
1. Start a minimal MQTT server that accepts a CONNECT and CONNACK.
2. Use libcurl with the mqtt:// scheme.
3. Set CURLOPT_POSTFIELDSIZE_LARGE to a value larger than MAX_MQTT_MESSAGE_SIZE.
4. Provide a much smaller buffer via CURLOPT_POSTFIELDS.
5. Call curl_easy_perform( ).
libcurl proceeds instead of returning CURLE_TOO_LARGE, and ASAN reports
an out-of-bounds read in mqtt_publish().
## Supporting Material / References
- ASAN stack trace showing heap-buffer-overflow in mqtt_publish()
- PoC client and server source code attached
sql
## Impact
## Summary:
## Summary
This issue allows applications using libcurl MQTT to bypass the intended
MAX_MQTT_MESSAGE_SIZE enforcement.
If CURLOPT_POSTFIELDSIZE_LARGE does not match the actual buffer size,
libcurl may perform out-of-bounds memory reads, leading to crashes
or aborts (confirmed with ASAN).
No direct remote exploitation was identified.
An unsigned integer underflow exists in libcurl's MQTT publish path.
Due to incorrect arithmetic ordering in the size validation logic,
oversized MQTT PUBLISH messages are not rejected as intended.
## Affected version
libcurl 8.18.0
Tested on macOS (arm64) with AddressSanitizer enabled.
## Steps To Reproduce
1. Start a minimal MQTT server that accepts a CONNECT and CONNACK.
2. Use libcurl with the mqtt:// scheme.
3. Set CURLOPT_POSTFIELDSIZE_LARGE to a value larger than MAX_MQTT_MESSAGE_SIZE.
4. Provide a much smaller buffer via CURLOPT_POSTFIELDS.
5. Call curl_easy_perform( ).
libcurl proceeds instead of returning CURLE_TOO_LARGE, and ASAN reports
an out-of-bounds read in mqtt_publish().
## Supporting Material / References
- ASAN stack trace showing heap-buffer-overflow in mqtt_publish()
- PoC client and server source code attached
sql
## Impact
## Summary:
## Summary
This issue allows applications using libcurl MQTT to bypass the intended
MAX_MQTT_MESSAGE_SIZE enforcement.
If CURLOPT_POSTFIELDSIZE_LARGE does not match the actual buffer size,
libcurl may perform out-of-bounds memory reads, leading to crashes
or aborts (confirmed with ASAN).
No direct remote exploitation was identified.
Basic Information
ID
H1:3508854
Published
Jan 13, 2026 at 14:31
Modified
Jan 13, 2026 at 17:09