Description
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A division‑by‑zero bug in FlashMQ allows a remote client with retained‑publish permission to crash the broker when the deferred retained message timeout and spread are set to non‑default values. The crash results in a denial of service. The flaw is a CWE‑369 numeric truncation error that occurs during message handling logic. If anonymous retained publishing is enabled, no authentication is required; otherwise the attacker must possess the publish privilege.

Affected Systems

The vulnerability affects FlashMQ MQTT brokers from halfgaar before version 1.26.1. All releases in that range that accept retained‑publish messages and customize the defer timeout parameters are susceptible. Newer releases, starting with v1.26.1, contain the remediation.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and no EPSS data is currently available. The vulnerability is not listed in CISA KEV. Exploitation requires a reachable MQTT broker and either the right permission or the allowance of anonymous retained publishing. Once conditions are met, an attacker can trigger the broker to stop, disrupting service availability for all clients.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlashMQ to version 1.26.1 or later, which fixes the divide‑by‑zero logic.
  • Verify that the set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread settings are either at their defaults or omitted; the patch resets them to safe values.
  • Configure the broker so that retained publish permissions are granted only to authenticated users or disable anonymous retained publishing entirely to reduce the attack surface.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Halfgaar
Halfgaar flashmq
Vendors & Products Halfgaar
Halfgaar flashmq

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.
Title FlashMQ: Division by zero crash when using non-default deferred retained message setting
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Halfgaar Flashmq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T15:59:27.626Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42209

cve-icon Vulnrichment

Updated: 2026-05-11T15:59:17.095Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T22:16:32.103

Modified: 2026-05-13T16:52:48.773

Link: CVE-2026-42209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:24:47Z

Weaknesses