Description
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlashMQ, a multi‑CPU MQTT broker, contains a flaw that allows an authorized client to write more data into the broker’s write buffer than the permitted over‑commit limit. The excess data triggers an unchecked internal exception (CWE‑248). Because the exception is not caught, the broker process aborts, immediately interrupting service for all connected clients. The primary impact is a denial of service that disrupts availability of the broker.

Affected Systems

The vulnerability applies to FlashMQ version 1.26.1 and all earlier releases distributed by halfgaar. Version 1.26.2 contains the fix through a code commit that prevents the unchecked exception.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the issue is not listed in CISA KEV. Based on the description, it is inferred that the attacker must be an authorized MQTT client that can reach the broker, requiring valid credentials or a compromised authentication flow. Once authenticated, the client can exceed write limits to force the server abort.

Generated by OpenCVE AI on June 10, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlashMQ to version 1.26.2 or later, which includes the corrective code that guards against the unchecked exception.
  • Re‑configure authorized clients so that business‑critical high‑throughput traffic is not allowed to send data that would exceed the broker’s buffer limits; remove any clients that do not legitimately need such throughput.
  • Enable logging of broker abort events and configure alerts so that administrators are notified of unexpected process restarts.

Generated by OpenCVE AI on June 10, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Halfgaar
Halfgaar flashmq
Vendors & Products Halfgaar
Halfgaar flashmq

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2.
Title FlashMQ: Client can trigger uncaught exception on FlashMQ 1.26.1 and older
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Halfgaar Flashmq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:01:33.212Z

Reserved: 2026-05-13T21:04:10.933Z

Link: CVE-2026-46411

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.407

Modified: 2026-06-10T00:16:53.407

Link: CVE-2026-46411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses