CVE-2024-42646

| EUVD-2024-54786 HIGH
2025-07-14 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2024-54786
PoC Detected
Jul 16, 2025 - 19:15 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 17:15 nvd
HIGH 7.5

Tags

Denial Of Service Nanomq

Description

A segmentation fault in NanoMQ v0.21.10 allows attackers to cause a Denial of Service (DoS) via crafted messages.

Analysis

CVE-2024-42646 is a segmentation fault vulnerability in NanoMQ v0.21.10 that allows unauthenticated remote attackers to trigger a denial of service condition by sending specially crafted messages. This is a network-accessible DoS vulnerability with high availability impact (CVSS 7.5) that affects message broker deployments. The vulnerability requires no authentication or user interaction, making it easily exploitable in production environments.

Technical Context

NanoMQ is a lightweight MQTT message broker implementation. The vulnerability exists in the message parsing or processing logic (CWE-125: Out-of-bounds Read), where insufficient input validation on crafted MQTT protocol messages leads to a segmentation fault—typically caused by reading beyond allocated buffer boundaries. MQTT v3.1/v5.0 message handlers in NanoMQ v0.21.10 lack proper bounds checking when processing variable-length message fields (e.g., topic names, payloads, or protocol headers). This memory safety issue is common in C/C++ implementations lacking memory-safe abstractions. The segfault is triggered during message deserialization before protocol validation completes, allowing any network client to crash the broker process without establishing authenticated sessions.

Affected Products

NanoMQ versions up to and including v0.21.10. Potential CPE: cpe:2.3:a:emqx:nanomq:0.21.10:*:*:*:*:*:*:*. Affected configurations include: (1) Any publicly exposed NanoMQ MQTT broker listening on ports 1883 (unencrypted MQTT) or 8883 (MQTT over TLS); (2) NanoMQ instances in IoT gateways, edge computing clusters, or cloud deployments; (3) Multi-tenant MQTT infrastructures where untrusted clients connect. No patch version is referenced in the provided data; check EMQX/NanoMQ GitHub releases and official advisories for patched versions ≥0.21.11 or equivalent security releases.

Remediation

Immediate actions: (1) Upgrade NanoMQ to the latest patched version (vendor advisory required—check https://github.com/emqx/nanomq/releases and https://www.emqx.io/); (2) If upgrade is blocked, implement network-level mitigations: restrict MQTT broker access via firewall/ACLs to trusted clients only, isolate the broker on a segmented network, and disable public Internet exposure; (3) Monitor broker process health and implement automated restart mechanisms (systemd service files, container health checks) to minimize downtime from crash events; (4) Add input validation/fuzzing at the network boundary if running a custom reverse proxy. Workarounds are limited for this memory safety issue—patching is the primary mitigation.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: +20

Share

CVE-2024-42646 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy