Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Published: 2026-03-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds read causing a broker crash and denial of service
Action: Immediate Patch
AI Analysis

Impact

A malformed MQTT packet with an excessively large Remaining Length field is accepted by NanoMQ’s WebSocket transport. The broker copies the requested amount of bytes from the receive buffer without ensuring the buffer actually contains that many bytes, triggering an out‑of‑bounds read that can result in a crash. This is identified as CWE‑125 and delivers a denial‑of‑service effect.

Affected Systems

The vulnerability exists in NanoMQ version 0.24.7 and earlier. Versions 0.24.8 and later include the fix. Any deployment of NanoMQ that exposes the MQTT‑over‑WebSocket listener is susceptible.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity. Exploitation requires remote access to the WebSocket port; no authentication is required, so an attacker can send the crafted packet from anywhere that can reach the broker. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalogue, but the combination of a moderate CVSS score and open‑to‑attack vector raises the risk to a significant level.

Generated by OpenCVE AI on March 31, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanoMQ to version 0.24.8 or later
  • If an update cannot be applied immediately, restrict external access to the MQTT‑over‑WebSocket listener using a firewall or access control list
  • Monitor broker logs for anomalous packets and packet sizes for signs of malicious activity

Generated by OpenCVE AI on March 31, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Title nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:34.784Z

Reserved: 2026-02-04T05:15:41.789Z

Link: CVE-2026-25627

cve-icon Vulnrichment

Updated: 2026-03-31T19:07:04.865Z

cve-icon NVD

Status : Received

Published: 2026-03-30T21:17:07.750

Modified: 2026-03-31T20:16:26.073

Link: CVE-2026-25627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:14Z

Weaknesses