Cyber Resilience

CVE-2024-48077

HighDDoS

Published: 15 January 2026

Published
15 January 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48077 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Emqx Nanomq. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2024-48077 is a Denial of Service (DoS) vulnerability in NanoMQ version 0.22.7 due to improper resource throttling, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-833 (Deadlock). A crafted sequence of requests causes the recv-q queue to saturate, resulting in rapid exhaustion of system file descriptors (FDs). This exhaustion triggers a process crash, preventing the broker from providing services. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

Any unauthenticated attacker with network access to the NanoMQ broker can exploit this vulnerability. By sending a specially crafted sequence of requests, the attacker saturates the recv-q queue, exhausts FDs, and crashes the broker process, leading to a complete denial of service where the broker becomes unresponsive and unable to handle MQTT traffic or other services.

Mitigation details and potential patches are referenced in the GitHub gist at https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 and the official NanoMQ repository at https://github.com/nanomq/nanomq. Security practitioners should consult these sources for updates, workarounds, or upgraded versions addressing the issue.

EU & UK References

Vulnerability details

NanoMQ v0.22.7 is vulnerable to Denial of Service (DoS) due to improper resource throttling. A crafted sequence of requests causes the recv-q queue to saturate, leading to the rapid exhaustion of system file descriptors (FDs). This exhaustion triggers a process…

more

crash, rendering the broker unable to provide services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of public-facing MQTT broker (T1190) to trigger application crash via resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32696Same product: Emqx Nanomq
CVE-2026-32135Same product: Emqx Nanomq
CVE-2026-21888Same product: Emqx Nanomq
CVE-2026-34608Same product: Emqx Nanomq
CVE-2026-25627Same product: Emqx Nanomq
CVE-2026-39304Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2026-27888Shared CWE-400
CVE-2025-59472Shared CWE-400

Affected Assets

emqx
nanomq
0.22.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protections against resource exhaustion attacks that cause denial of service, matching the recv-q saturation and FD exhaustion in this CVE.

prevent

Mandates allocation safeguards to prevent uncontrolled resource consumption, directly addressing the lack of throttling that leads to FD exhaustion and broker crash.

detect

Enables monitoring of system resource usage and anomalous request patterns that would reveal the crafted sequence saturating the recv-q queue.

References