Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.
Published: 2026-04-02
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read (possible information disclosure)
Action: Immediate Patch
AI Analysis

Impact

NanoMQ MQ­Broker’s webhook_inproc.c routine parses incoming messages with cJSON_Parse, which expects a null-terminated string. The message body obtained through nng_msg_body(msg) is a raw binary buffer that may lack a terminating zero. When the payload size is a power of two that is at least 1024 bytes, the buffer receives no padding, causing cJSON_Parse to read beyond the buffer until it encounters a zero byte. This out‑of‑bounds read can expose contents of adjacent memory or trigger a crash, depending on the data accessed, and constitutes a CWE‑125 weakness. The issue is fixed in release 0.24.10. Affected systems include all NanoMQ releases prior to 0.24.10, as identified in the advisories and the cpe listing for nanomq:nanomq. The name of the product is simply NanoMQ MQTT Broker.

Affected Systems

Affected systems include all NanoMQ releases prior to 0.24.10, as identified in the advisories and the cpe listing for nanomq:nanomq. The name of the product is simply NanoMQ MQTT Broker.

Risk and Exploitability

Risk and exploitability: The CVSS v3 score is 4.9, indicating moderate severity, while the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely exploitation requires an attacker to send a specially crafted JSON payload of a power‑of‑two length (≥1024 bytes) to the broker’s webhook interface; the broker must be reachable from the attacking network. Because the attack vector relies on sending payloads of a specific size, the exploitation is feasible but not trivially ubiquitous.

Generated by OpenCVE AI on April 15, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanoMQ to version 0.24.10 or later.
  • If an upgrade is not immediately possible, constrain the maximum JSON payload size to less than 1024 bytes or enforce null‑termination before parsing.
  • Continuously monitor broker logs for anomalous JSON parsing errors or crashes.

Generated by OpenCVE AI on April 15, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx nanomq
CPEs cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*
Vendors & Products Emqx
Emqx nanomq

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.
Title nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_Parse OOB Read
Weaknesses CWE-125
CWE-457
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Emqx Nanomq
Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T19:10:58.813Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34608

cve-icon Vulnrichment

Updated: 2026-04-02T19:10:55.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:32.357

Modified: 2026-04-10T15:59:59.297

Link: CVE-2026-34608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses