What is the CVSS score of CVE-2026-25627?

CVE-2026-25627 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-25627?

Yes, a patch is available for CVE-2026-25627. Update the affected software to the latest version immediately.

Nanomq CVE-2026-25627

EUVD-2026-17195 MEDIUM

Out-of-bounds Read (CWE-125)

2026-03-30 GitHub_M

Buffer Overflow Information Disclosure Nanomq

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

0.24.8

EUVD ID Assigned

Mar 30, 2026 - 20:30 euvd

EUVD-2026-17195

Analysis Generated

Mar 30, 2026 - 20:30 vuln.today

CVE Published

Mar 30, 2026 - 20:11 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.

AnalysisAI

NanoMQ MQTT Broker versions prior to 0.24.8 can be remotely crashed via MQTT-over-WebSocket by sending a packet with a maliciously inflated Remaining Length field in the fixed header while providing a shorter actual payload, triggering an out-of-bounds read that causes denial of service. Authenticated attackers can exploit this condition over the WebSocket listener with low attack complexity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability carries a CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network-accessible remote denial of service requiring authenticated access with low attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker connected to a NanoMQ broker's WebSocket listener constructs a malformed MQTT CONNECT or other control packet where the Remaining Length field in the fixed header specifies an artificially large value (e.g., 65535 bytes) while the actual WebSocket frame payload contains significantly fewer bytes. When the broker's WebSocket handler attempts to copy the number of bytes indicated by Remaining Length into its buffer without bounds validation, it reads beyond the available data, triggering an out-of-bounds memory access that crashes the broker process. …
Remediation	Vendor-released patch available: Upgrade NanoMQ to version 0.24.8 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25627 vulnerability details – vuln.today

Back

Nanomq CVE-2026-25627

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code