Description
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A division‑by‑zero bug in FlashMQ allows a remote client with retained‑publish permission to crash the broker when the deferred retained message timeout and spread are set to non‑default values. The crash results in a denial of service. The flaw is a CWE‑369 numeric truncation error that occurs during message handling logic. If anonymous retained publishing is enabled, no authentication is required; otherwise the attacker must possess the publish privilege.

Affected Systems

The vulnerability affects FlashMQ MQTT brokers from halfgaar before version 1.26.1. All releases in that range that accept retained‑publish messages and customize the defer timeout parameters are susceptible. Newer releases, starting with v1.26.1, contain the remediation.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and no EPSS data is currently available. The vulnerability is not listed in CISA KEV. Exploitation requires a reachable MQTT broker and either the right permission or the allowance of anonymous retained publishing. Once conditions are met, an attacker can trigger the broker to stop, disrupting service availability for all clients.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlashMQ to version 1.26.1 or later, which fixes the divide‑by‑zero logic.
  • Verify that the set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread settings are either at their defaults or omitted; the patch resets them to safe values.
  • Configure the broker so that retained publish permissions are granted only to authenticated users or disable anonymous retained publishing entirely to reduce the attack surface.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.
Title FlashMQ: Division by zero crash when using non-default deferred retained message setting
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:40:43.284Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42209

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:32.103

Modified: 2026-05-08T22:16:32.103

Link: CVE-2026-42209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses