{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25627", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.789Z", "datePublished": "2026-03-30T20:11:08.586Z", "dateUpdated": "2026-03-31T19:09:34.784Z"}, "containers": {"cna": {"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}, {"name": "https://github.com/nanomq/NanoNNG/pull/1405", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/NanoNNG/pull/1405"}, {"name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"}, {"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"version": "< 0.24.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:11:08.586Z"}, "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}], "source": {"advisory": "GHSA-w4rh-v3h2-j29x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:38:44.968276Z", "id": "CVE-2026-25627", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:34.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25627", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:38:44.968276Z"}}}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:07:04.865Z"}}], "cna": {"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket", "source": {"advisory": "GHSA-w4rh-v3h2-j29x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"status": "affected", "version": "< 0.24.8"}]}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nanomq/NanoNNG/pull/1405", "name": "https://github.com/nanomq/NanoNNG/pull/1405", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:11:08.586Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25627", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:09:34.784Z", "dateReserved": "2026-02-04T05:15:41.789Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T20:11:08.586Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BCF33DD-E338-4F9C-BA28-CC3F585079AF", "versionEndExcluding": "0.24.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una plataforma de mensajer\u00eda de borde integral. Antes de la versi\u00f3n 0.24.8, el transporte MQTT-over-WebSocket de NanoMQ puede colapsar al enviar un paquete MQTT con una longitud restante (Remaining Length) deliberadamente grande en la cabecera fija mientras se proporciona una carga \u00fatil real mucho m\u00e1s corta. La ruta del c\u00f3digo copia bytes de la longitud restante sin verificar que el b\u00fafer de recepci\u00f3n actual contenga esa cantidad de bytes, lo que resulta en una lectura fuera de l\u00edmites (ASAN informa OOB / fallo). Esto puede ser activado remotamente a trav\u00e9s del oyente de WebSocket. Este problema ha sido parcheado en la versi\u00f3n 0.24.8."}], "id": "CVE-2026-25627", "lastModified": "2026-04-02T15:33:55.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T21:17:07.750", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nanomq/NanoNNG/pull/1405"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.24.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanomq", "source": "cna", "vendor": "nanomq"}, "product": "nanomq", "vendor": "nanomq"}], "analysis": {"en": {"generated_at": "2026-04-02T16:28:14.095409+00:00", "value": {"mitigation_remediation": ["Apply the NanoMQ 0.24.8 patch or later to eliminate the crash.", "If an upgrade cannot be performed immediately, monitor the broker for instability and restart it as a temporary fix.", "Consider disabling or restricting the WebSocket listener via firewall rules until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Denial of Service via Out\u2011of\u2011Bounds Read"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of NanoMQ are any releases earlier than 0.24.8, including all 0.24.x builds up to 0.24.7 and prior major releases. The issue is tracked in GitHub commits and releases and has been fixed in the 0.24.8 release. The product is distributed under the EMQX NanoMQ project, which can be found as the cpe:2.3:a:emqx:nanomq.", "description_and_impact": "NanoMQ, an MQTT broker, contains a buffer overrun flaw in its WebSocket transport. A broker receiving an MQTT packet with a Remaining Length field that specifies a large value but whose attached payload is far shorter causes the code to copy too many bytes from the buffer. The unchecked copy leads to an out\u2011of\u2011bounds read, which is reported by ASAN as OOB and causes a crash. The crash terminates the broker process, resulting in a denial\u2011of\u2011service for any clients that rely on the affected instance. The weakness is identified as CWE\u2011125.", "risk_and_exploitability": "With a CVSS base score of 6.5, the vulnerability represents moderate severity. EPSS indicates less than 1% likelihood of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, because it can be triggered remotely by sending a specifically crafted MQTT packet over the WebSocket listener, an attacker with network access to the broker can induce repeated crashes. The attack requires only the ability to send malformed packets, meaning that exposed brokers in untrusted networks could be an easy target for a denial\u2011of\u2011service attack."}}}}, "created": "2026-03-31T20:00:01.098618+00:00", "updated": "2026-04-02T20:22:50.369227+00:00", "vendors": ["nanomq", "nanomq$PRODUCT$nanomq"]}