CVE-2026-25627
- Source
- https://cve.org/CVERecord?id=CVE-2026-25627
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25627.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25627
- Aliases
-
- GHSA-w4rh-v3h2-j29x
- Published
- 2026-03-30T20:11:08.586Z
- Modified
- 2026-04-12T20:23:13.010166Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket
- Details
-
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
- Database specific
{ "cwe_ids": [ "CWE-125" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25627.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25627.json
- https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e
- https://github.com/nanomq/NanoNNG/pull/1405
- https://github.com/nanomq/nanomq/releases/tag/0.24.8
- https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x
- https://nvd.nist.gov/vuln/detail/CVE-2026-25627
Affected packages
Git / github.com/nanomq/nanonng
Affected versions
0.*
0.11.5
0.11.8
0.13
0.13.5
0.14.5
0.15.3
0.15.5
0.16.0
0.16.3
0.16.5
0.17.0
0.17.2
0.17.8
0.18.2
0.19.1
0.20.0
0.20.5
0.20.8
0.21
0.21.2
0.21.5
0.21.6
0.21.8
0.21.9
0.22.0
0.22.1
0.22.10
0.22.2
0.22.4
0.22.6
0.22.8
0.23.1
0.23.10
0.23.2
0.23.3
0.23.5
0.23.7
0.23.8
0.23.9
0.24.0
0.24.1
0.24.2
0.24.3
0.24.5
0.24.6
0.24.7
0.7.2
0.8.3
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25627.json"
vanir_signatures_modified
"2026-04-12T20:23:13Z"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 3078.0,
"function_hash": "309800913491873718124619074714334176675"
},
"source": "https://github.com/nanomq/nanonng/commit/b9d7c50427cf08f7d2bfc3a14fc6491240c22f06",
"id": "CVE-2026-25627-01d9a249",
"signature_type": "Function",
"target": {
"function": "nano_pipe_timer_cb",
"file": "src/sp/protocol/mqtt/nmq_mqtt.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"52562837256524356327979993874596151648",
"192511616185809487929499117343456329477",
"1125814297372660828841871265074305995",
"322686954350396477348038069631681542925",
"117308866211255878266283609353135917503",
"174595936490344061058538576242768505128",
"96173850441383276239143372226062820140",
"59098854081215189807874004779527460270",
"125543837073636808857060092663348847360",
"131610742232146028047136284818114405067",
"194675470649278745767877745860319467323",
"335306372526313889534346190873415443118",
"139085051258049829016987244527376804431",
"198744605669538066734640835335895752507",
"239192328744363590105831171240361118438",
"128466653431523298641189769365754001632",
"129993062006050832439492113501032675515",
"305196029766787679083459384973036067915",
"53247758151439035977572146045762749174",
"44001474533754174300665999998854744659",
"23492775416397180696561318164231258214"
]
},
"source": "https://github.com/nanomq/nanonng/commit/b9d7c50427cf08f7d2bfc3a14fc6491240c22f06",
"id": "CVE-2026-25627-f1faa686",
"signature_type": "Line",
"target": {
"file": "src/sp/protocol/mqtt/nmq_mqtt.c"
}
}
]