CVE-2026-34608
Published: 02 April 2026
Summary
CVE-2026-34608 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Emqx Nanomq. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability by requiring timely patching to NanoMQ version 0.24.10 or later, which fixes the flaw in hook_work_cb() processing of nng message bodies.
Mandates validation of MQTT message bodies from external interfaces to ensure proper length bounds and null-termination before passing to cJSON_Parse, preventing buffer over-reads.
Deploys runtime memory protections like address space layout randomization and guard pages to detect or limit damage from out-of-bounds reads into adjacent heap or stack memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read vulnerability in the MQTT broker can be triggered remotely by a privileged attacker sending a crafted JSON payload, directly enabling exploitation of the application to cause a crash and denial of service.
NVD Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary…
more
buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.
Deeper analysisAI
CVE-2026-34608 is an out-of-bounds read vulnerability in the NanoMQ MQTT Broker, an edge messaging platform, affecting versions prior to 0.24.10. The issue resides in the webhook_inproc.c file's hook_work_cb() function, which processes nng messages by passing the message body—obtained via nng_msg_body(msg), a binary buffer lacking a guaranteed null terminator—directly to cJSON_Parse(body). This causes cJSON_Parse to read beyond the allocated buffer boundaries until it encounters a null byte, potentially accessing nng_msg metadata or adjacent heap/stack memory. The flaw is often obscured by nng's allocation padding (extra 32 zero bytes for non-power-of-two sizes under 1024 or non-aligned allocations) but triggers reliably when the JSON payload length is a power-of-two value of 1024 or greater, where no padding is added.
Exploitation requires network access with low attack complexity, no user interaction, and high privileges (PR:H), as indicated by the CVSS 3.1 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). A privileged attacker can send a specially crafted MQTT message with a JSON payload of the specified length to the webhook endpoint, inducing the out-of-bounds read. This results in high-impact availability disruption, such as process crashes or denial of service, with no confidentiality or integrity effects (CWE-125: Out-of-bounds Read, CWE-457: Use of Uninitialized Variable).
The vulnerability has been addressed in NanoMQ version 0.24.10, as detailed in the project's security advisory (GHSA-8p57-jxj9-3qq3), release notes, and patching commit. Security practitioners should upgrade to 0.24.10 or later to mitigate the issue, with the commit available at https://github.com/nanomq/nanomq/commit/9499a4b2c47998a6aadb69238c18b9e6771b1691 and release at https://github.com/nanomq/nanomq/releases/tag/0.24.10.
Details
- CWE(s)