Skip to main content

Nanomq CVE-2026-34608

| EUVD-2026-18464 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-02 GitHub_M
Buffer Overflow Information Disclosure Nanomq
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.24.10
EUVD ID Assigned
Apr 02, 2026 - 18:15 euvd
EUVD-2026-18464
Analysis Generated
Apr 02, 2026 - 18:15 vuln.today
CVE Published
Apr 02, 2026 - 17:52 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.

AnalysisAI

Out-of-bounds read in NanoMQ MQTT Broker webhook processing allows remote attackers with high privileges to trigger denial of service by sending malformed JSON payloads. Prior to version 0.24.10, the hook_work_cb() function in webhook_inproc.c passes unsanitized binary message buffers directly to cJSON_Parse(), which reads past buffer boundaries when payloads lack null terminators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment CVSS 4.9 reflects moderate severity with network accessibility and low complexity, but the requirement for PR:H (high privilege) significantly constrains real-world attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privilege NanoMQ administrator with webhook configuration access crafts a webhook message with a JSON payload exactly 1024 bytes long (or another power-of-two >=1024), intentionally omitting a null terminator. When the message is delivered to the broker's intra-process webhook handler, cJSON_Parse() reads beyond the allocated buffer boundary, accessing adjacent heap memory (possibly message metadata or other NanoMQ internal structures). …
Remediation Upgrade NanoMQ to version 0.24.10 or later, which includes a patched version of webhook_inproc.c that properly null-terminates message bodies before passing them to cJSON_Parse(). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34608 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy