What is the CVSS score of CVE-2024-42646?

CVE-2024-42646 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Nanomq are affected by CVE-2024-42646?

NanoMQ v0.21.10 is vulnerable to denial-of-service attacks through specially crafted messages, with no patch currently available.

Is there a public PoC exploit available for CVE-2024-42646?

Yes, a public proof-of-concept exploit is available for CVE-2024-42646. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-42646?

Within 24 hours: Inventory all NanoMQ v0.21.10 deployments and assess criticality. Within 7 days: Implement network segmentation to restrict broker access to trusted sources only and enable message validation/filtering at ingress points. Within 30 days: Evaluate upgrade to patched NanoMQ version when released, or migrate to alternative MQTT broker solutions with active security support.

Nanomq CVE-2024-42646

EUVD-2024-54786 HIGH

Out-of-bounds Read (CWE-125)

2025-07-14 cve@mitre.org

Denial Of Service Nanomq

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2024-54786

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

PoC Detected

Jul 16, 2025 - 19:15 vuln.today

Public exploit code

CVE Published

Jul 14, 2025 - 17:15 nvd

HIGH 7.5

DescriptionCVE.org

A segmentation fault in NanoMQ v0.21.10 allows attackers to cause a Denial of Service (DoS) via crafted messages.

AnalysisAI

CVE-2024-42646 is a segmentation fault vulnerability in NanoMQ v0.21.10 that allows unauthenticated remote attackers to trigger a denial of service condition by sending specially crafted messages. This is a network-accessible DoS vulnerability with high availability impact (CVSS 7.5) that affects message broker deployments. The vulnerability requires no authentication or user interaction, making it easily exploitable in production environments.

Technical ContextAI

NanoMQ is a lightweight MQTT message broker implementation. The vulnerability exists in the message parsing or processing logic (CWE-125: Out-of-bounds Read), where insufficient input validation on crafted MQTT protocol messages leads to a segmentation fault—typically caused by reading beyond allocated buffer boundaries. MQTT v3.1/v5.0 message handlers in NanoMQ v0.21.10 lack proper bounds checking when processing variable-length message fields (e.g., topic names, payloads, or protocol headers). This memory safety issue is common in C/C++ implementations lacking memory-safe abstractions. The segfault is triggered during message deserialization before protocol validation completes, allowing any network client to crash the broker process without establishing authenticated sessions.

RemediationAI

Immediate actions: (1) Upgrade NanoMQ to the latest patched version (vendor advisory required—check https://github.com/emqx/nanomq/releases and https://www.emqx.io/); (2) If upgrade is blocked, implement network-level mitigations: restrict MQTT broker access via firewall/ACLs to trusted clients only, isolate the broker on a segmented network, and disable public Internet exposure; (3) Monitor broker process health and implement automated restart mechanisms (systemd service files, container health checks) to minimize downtime from crash events; (4) Add input validation/fuzzing at the network boundary if running a custom reverse proxy. Workarounds are limited for this memory safety issue—patching is the primary mitigation.

CVE-2024-42646 vulnerability details – vuln.today

Back

Nanomq CVE-2024-42646

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code