CVE-2024-48077
Published: 15 January 2026
Summary
CVE-2024-48077 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Emqx Nanomq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-48077 is a Denial of Service (DoS) vulnerability in NanoMQ version 0.22.7 due to improper resource throttling, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-833 (Deadlock). A crafted sequence of requests causes the recv-q queue to saturate, resulting in rapid exhaustion of system file descriptors (FDs). This exhaustion triggers a process crash, preventing the broker from providing services. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.
Any unauthenticated attacker with network access to the NanoMQ broker can exploit this vulnerability. By sending a specially crafted sequence of requests, the attacker saturates the recv-q queue, exhausts FDs, and crashes the broker process, leading to a complete denial of service where the broker becomes unresponsive and unable to handle MQTT traffic or other services.
Mitigation details and potential patches are referenced in the GitHub gist at https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 and the official NanoMQ repository at https://github.com/nanomq/nanomq. Security practitioners should consult these sources for updates, workarounds, or upgraded versions addressing the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2717
Vulnerability details
NanoMQ v0.22.7 is vulnerable to Denial of Service (DoS) due to improper resource throttling. A crafted sequence of requests causes the recv-q queue to saturate, leading to the rapid exhaustion of system file descriptors (FDs). This exhaustion triggers a process…
more
crash, rendering the broker unable to provide services.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing MQTT broker (T1190) to trigger application crash via resource exhaustion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protections against resource exhaustion attacks that cause denial of service, matching the recv-q saturation and FD exhaustion in this CVE.
Mandates allocation safeguards to prevent uncontrolled resource consumption, directly addressing the lack of throttling that leads to FD exhaustion and broker crash.
Enables monitoring of system resource usage and anomalous request patterns that would reveal the crafted sequence saturating the recv-q queue.