CVE-2026-25627
Published: 30 March 2026
Summary
CVE-2026-25627 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Emqx Nanomq. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of MQTT packet Remaining Length against available receive buffer size to prevent out-of-bounds reads.
Ensures timely patching of the specific out-of-bounds read flaw fixed in NanoMQ version 0.24.8.
Mandates secure error handling for invalid inputs to avoid crashes from unhandled out-of-bounds reads in the WebSocket transport.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in network-facing MQTT/WebSocket handler directly enables remote crash/DoS via application exploitation (T1499.004).
NVD Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter…
more
actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Deeper analysisAI
CVE-2026-25627 is an out-of-bounds read vulnerability in the MQTT-over-WebSocket transport of NanoMQ, an all-around Edge Messaging Platform and MQTT Broker. In versions prior to 0.24.8, the broker can be crashed by an MQTT packet with a deliberately large Remaining Length value in the fixed header paired with a much shorter actual payload. The affected code path copies the specified number of Remaining Length bytes from the receive buffer without first verifying that the buffer contains sufficient data, leading to an out-of-bounds read and crash, as reported by ASAN.
The vulnerability is remotely exploitable over the WebSocket listener with low attack complexity and no user interaction required. Exploitation requires low privileges (PR:L per CVSS 3.1 score of 6.5: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), allowing an attacker with such access to trigger a denial-of-service by crashing the NanoMQ broker instance. There is no impact on confidentiality or integrity.
The issue has been addressed in NanoMQ version 0.24.8, as detailed in the project's release notes, security advisories (GHSA-w4rh-v3h2-j29x), and the patching commit (e80b30bad6d855593a68d18f2785bfaca6faf09e) merged via pull request #1405. Security practitioners should upgrade to the fixed version to mitigate this CWE-125 vulnerability.
Details
- CWE(s)