FlashMQ
CVE-2026-46411
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2.
AnalysisAI
Denial-of-service in FlashMQ MQTT broker prior to version 1.26.2 allows any authenticated (low-privilege) connected client to crash the entire broker process by deliberately exceeding the permitted write buffer over-commit threshold. The crash occurs because the resulting internal safeguard exception is raised in a C++ destructor code path during stack unwinding - a context where exceptions cannot be caught - forcing a call to std::terminate() and aborting the server. No public exploit has been identified at time of analysis, but exploitation requires only valid MQTT credentials, making this a realistic risk for any FlashMQ deployment with untrusted or semi-trusted client populations.
Technical ContextAI
FlashMQ is an open-source, high-performance MQTT broker written in C++, developed by halfgaar and designed for multi-CPU environments. The vulnerability is rooted in CWE-248 (Uncaught Exception). Specifically, the AckSender class previously held a shared_ptr to the Client object and its destructor would call sendNow() if the acknowledgment had not yet been sent. In C++, if an exception is thrown inside a destructor while another exception is already propagating (e.g., during stack unwinding from a write buffer over-commit guard), the runtime calls std::terminate(), immediately aborting the process. The fix in commit 29e08f7b97b6e3f96db923c2b6a260c47b49c195 removes the implicit sendNow() call from the destructor, replaces it with an assert(sent), and refactors sendNow() to accept a raw Client pointer explicitly at the call sites within handlePublish(). This eliminates the destructor-triggered exception path entirely. The affected CPE is cpe:2.3:a:halfgaar:flashmq:*:*:*:*:*:*:*:*, covering all versions prior to 1.26.2.
RemediationAI
Upgrade FlashMQ to version 1.26.2 or later; this is the vendor-released patch as confirmed by the GitHub release tag at https://github.com/halfgaar/FlashMQ/releases/tag/v1.26.2 and the fix commit at https://github.com/halfgaar/FlashMQ/commit/29e08f7b97b6e3f96db923c2b6a260c47b49c195. If immediate upgrade is not feasible, restrict MQTT client authentication so that only fully trusted, controlled clients can connect - this raises the effective privilege bar and reduces the pool of potential attackers, though it does not eliminate the vulnerability. Additionally, operators may consider placing the broker behind a connection-rate-limiting proxy or MQTT gateway that can terminate misbehaving client sessions before they reach FlashMQ, as a compensating control; note that this adds architectural complexity and a potential single point of failure. Monitoring broker process health and configuring automatic process restart (e.g., via systemd RestartSec) can reduce downtime from repeated crash attempts but does not prevent exploitation.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today