Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Published: 2026-03-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service via Out‑of‑Bounds Read
Action: Immediate Patch
AI Analysis

Impact

NanoMQ, an MQTT broker, contains a buffer overrun flaw in its WebSocket transport. A broker receiving an MQTT packet with a Remaining Length field that specifies a large value but whose attached payload is far shorter causes the code to copy too many bytes from the buffer. The unchecked copy leads to an out‑of‑bounds read, which is reported by ASAN as OOB and causes a crash. The crash terminates the broker process, resulting in a denial‑of‑service for any clients that rely on the affected instance. The weakness is identified as CWE‑125.

Affected Systems

Vulnerable versions of NanoMQ are any releases earlier than 0.24.8, including all 0.24.x builds up to 0.24.7 and prior major releases. The issue is tracked in GitHub commits and releases and has been fixed in the 0.24.8 release. The product is distributed under the EMQX NanoMQ project, which can be found as the cpe:2.3:a:emqx:nanomq.

Risk and Exploitability

With a CVSS base score of 6.5, the vulnerability represents moderate severity. EPSS indicates less than 1% likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. However, because it can be triggered remotely by sending a specifically crafted MQTT packet over the WebSocket listener, an attacker with network access to the broker can induce repeated crashes. The attack requires only the ability to send malformed packets, meaning that exposed brokers in untrusted networks could be an easy target for a denial‑of‑service attack.

Generated by OpenCVE AI on April 2, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the NanoMQ 0.24.8 patch or later to eliminate the crash.
  • If an upgrade cannot be performed immediately, monitor the broker for instability and restart it as a temporary fix.
  • Consider disabling or restricting the WebSocket listener via firewall rules until the patch is applied.

Generated by OpenCVE AI on April 2, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx nanomq
CPEs cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*
Vendors & Products Emqx
Emqx nanomq

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Title nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Emqx Nanomq
Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:34.784Z

Reserved: 2026-02-04T05:15:41.789Z

Link: CVE-2026-25627

cve-icon Vulnrichment

Updated: 2026-03-31T19:07:04.865Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:07.750

Modified: 2026-04-02T15:33:55.340

Link: CVE-2026-25627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:50Z

Weaknesses