Vulnerability DatabaseCVE-2021-45939

CVE-2021-45939:
Homebrew vulnerability analysis and mitigation

Overview

A heap-based buffer overflow vulnerability was discovered in wolfMQTT version 1.9 (CVE-2021-45939). The vulnerability exists in the MqttClientDecodePacket function, which is called from MqttClientWaitType and MqttClient_Subscribe. The issue was discovered on September 23, 2021, and was fixed in a subsequent patch (OSS-Fuzz, GitHub Commit).

Technical details

The vulnerability is classified as a heap-based buffer overflow WRITE vulnerability that occurs in the MqttClient_DecodePacket function. The CVSS v3.1 base score for this vulnerability is 5.5 (MEDIUM), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue affects the packet processing functionality in wolfMQTT, specifically when handling MQTT packet decoding operations (NVD).

Impact

If exploited, this vulnerability could lead to a heap buffer overflow condition, potentially resulting in program crashes or denial of service. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (OSS-Fuzz-Vulns).

Mitigation and workarounds

The vulnerability has been fixed in a commit to the wolfMQTT repository. Users should upgrade to a version that includes the fix (commit 84d4b53122e0fa0280c7872350b89d5777dabbb2). The fix involves modifications to the packet handling logic in the MqttClient_WaitType function (GitHub Patch).

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-58360	CRITICAL	9.8	Java	org.geoserver.web:gs-web-app	No	Yes	Nov 25, 2025
CVE-2025-65085	HIGH	8.4	NixOS	cobalt	No	No	Nov 25, 2025
CVE-2025-65084	HIGH	8.4	NixOS	argon	No	No	Nov 25, 2025
CVE-2025-59789	HIGH	7.5	Homebrew	brpc	No	Yes	Dec 01, 2025
CVE-2025-64761	HIGH	7.5	Wolfi	openbao	No	Yes	Nov 25, 2025