CVE-2026-25627 (GCVE-0-2026-25627)

Vulnerability from cvelistv5 – Published: 2026-03-30 20:11 – Updated: 2026-03-31 19:09
VLAI?
Title
nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
nanomq nanomq Affected: < 0.24.8
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25627",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:38:44.968276Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T19:09:34.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nanomq",
          "vendor": "nanomq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.24.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T20:11:08.586Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
        },
        {
          "name": "https://github.com/nanomq/NanoNNG/pull/1405",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nanomq/NanoNNG/pull/1405"
        },
        {
          "name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"
        },
        {
          "name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"
        }
      ],
      "source": {
        "advisory": "GHSA-w4rh-v3h2-j29x",
        "discovery": "UNKNOWN"
      },
      "title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25627",
    "datePublished": "2026-03-30T20:11:08.586Z",
    "dateReserved": "2026-02-04T05:15:41.789Z",
    "dateUpdated": "2026-03-31T19:09:34.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25627",
      "date": "2026-04-21",
      "epss": "0.00015",
      "percentile": "0.02966"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25627\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-30T21:17:07.750\",\"lastModified\":\"2026-04-02T15:33:55.340\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.\"},{\"lang\":\"es\",\"value\":\"NanoMQ MQTT Broker (NanoMQ) es una plataforma de mensajer\u00eda de borde integral. Antes de la versi\u00f3n 0.24.8, el transporte MQTT-over-WebSocket de NanoMQ puede colapsar al enviar un paquete MQTT con una longitud restante (Remaining Length) deliberadamente grande en la cabecera fija mientras se proporciona una carga \u00fatil real mucho m\u00e1s corta. La ruta del c\u00f3digo copia bytes de la longitud restante sin verificar que el b\u00fafer de recepci\u00f3n actual contenga esa cantidad de bytes, lo que resulta en una lectura fuera de l\u00edmites (ASAN informa OOB / fallo). Esto puede ser activado remotamente a trav\u00e9s del oyente de WebSocket. Este problema ha sido parcheado en la versi\u00f3n 0.24.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.24.8\",\"matchCriteriaId\":\"5BCF33DD-E338-4F9C-BA28-CC3F585079AF\"}]}]}],\"references\":[{\"url\":\"https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nanomq/NanoNNG/pull/1405\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/nanomq/nanomq/releases/tag/0.24.8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25627\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T18:38:44.968276Z\"}}}], \"references\": [{\"url\": \"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T19:07:04.865Z\"}}], \"cna\": {\"title\": \"nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket\", \"source\": {\"advisory\": \"GHSA-w4rh-v3h2-j29x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nanomq\", \"product\": \"nanomq\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.24.8\"}]}], \"references\": [{\"url\": \"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x\", \"name\": \"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nanomq/NanoNNG/pull/1405\", \"name\": \"https://github.com/nanomq/NanoNNG/pull/1405\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e\", \"name\": \"https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nanomq/nanomq/releases/tag/0.24.8\", \"name\": \"https://github.com/nanomq/nanomq/releases/tag/0.24.8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T20:11:08.586Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25627\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T19:09:34.784Z\", \"dateReserved\": \"2026-02-04T05:15:41.789Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-30T20:11:08.586Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.