Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.
Published: 2026-04-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow via REST API
Action: Apply Patch
AI Analysis

Impact

NanoMQ MQTT Broker contains a heap buffer overflow in the uri_param_parse function of its REST API. The bug is caused by an off‑by‑one error when allocating memory for query parameter keys and values. A crafted HTTP request can trigger the overflow and overwrite a null byte beyond the allocated buffer, potentially corrupting memory and affecting the stability of the broker.

Affected Systems

Any instance of NanoMQ with a version earlier than 0.24.11 is affected. The vulnerability resides in the REST API of the broker, as identified by the nanomq:nanomq vendor and product name.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. The flaw can be triggered via a crafted HTTP request to the REST endpoint; no authentication requirement is mentioned in the description. The remote triggerability combined with the high severity suggests that exploitation could have significant impact if successful.

Generated by OpenCVE AI on April 21, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanoMQ to version 0.24.11 or later, which contains a patch for the buffer overflow bug.
  • If upgrading cannot be performed immediately, restrict access to the broker’s REST API by limiting inbound traffic to trusted hosts or applying firewall rules that block untrusted sources.
  • Monitor HTTP traffic to the REST endpoint for anomalous requests and review security advisories for newer vulnerabilities or patches.

Generated by OpenCVE AI on April 21, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx nanomq
CPEs cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*
Vendors & Products Emqx
Emqx nanomq
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.
Title NanoMQ has Heap Buffer Overflow in URI Parameter Parsing
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Emqx Nanomq
Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:33:14.607Z

Reserved: 2026-03-10T22:19:36.546Z

Link: CVE-2026-32135

cve-icon Vulnrichment

Updated: 2026-04-21T13:32:51.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T20:16:48.510

Modified: 2026-04-22T17:32:15.433

Link: CVE-2026-32135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:45:07Z

Weaknesses