CVE-2026-32135
Published: 20 April 2026
Summary
CVE-2026-32135 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Emqx Nanomq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap buffer overflow by requiring timely patching to NanoMQ version 0.24.11 or later.
Provides memory protection mechanisms such as ASLR and DEP to prevent successful exploitation of the heap buffer overflow.
Enforces validation of HTTP URI parameters to reject crafted requests that could trigger the off-by-one allocation error.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow in public NanoMQ REST API (uri_param_parse) directly enables T1190 exploitation of a public-facing application; the resulting broker crash maps to T1499.004 Application or System Exploitation for endpoint DoS.
NVD Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory…
more
for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.
Deeper analysisAI
CVE-2026-32135 is a heap buffer overflow vulnerability in the `uri_param_parse` function of NanoMQ's REST API. NanoMQ, an all-around Edge Messaging Platform and MQTT Broker, is affected in versions prior to 0.24.11. The issue stems from an off-by-one error during memory allocation for query parameter keys and values, which allows an attacker to write a null byte beyond the allocated buffer boundaries. This vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to the NanoMQ REST API endpoint. By sending a specially crafted HTTP request, the attacker triggers the off-by-one error, leading to a heap buffer overflow. This results in high-impact availability disruption, such as broker crashes or denial of service, without affecting confidentiality or integrity.
Mitigation is available in NanoMQ version 0.24.11, which patches the allocation logic in the `uri_param_parse` function. Security advisories and the fixing commit are detailed in the NanoMQ GitHub security advisory (GHSA-6w96-9qw7-m599), issue tracker (#2247), and the specific patch commit (69a97b3b39cc218f044f1c8896f4d3d8757bb394). Practitioners should upgrade to the patched version and review exposed REST API access.
Details
- CWE(s)