{"id":"CVE-2026-25627","summary":"nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket","details":"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.","aliases":["GHSA-w4rh-v3h2-j29x"],"modified":"2026-04-12T20:23:13.010166Z","published":"2026-03-30T20:11:08.586Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25627.json","cwe_ids":["CWE-125"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25627.json"},{"type":"FIX","url":"https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"},{"type":"FIX","url":"https://github.com/nanomq/NanoNNG/pull/1405"},{"type":"WEB","url":"https://github.com/nanomq/nanomq/releases/tag/0.24.8"},{"type":"ADVISORY","url":"https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25627"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nanomq/nanonng","events":[{"introduced":"0"},{"fixed":"b9d7c50427cf08f7d2bfc3a14fc6491240c22f06"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.24.8"}]}}],"versions":["0.11.5","0.11.8","0.13","0.13.5","0.14.5","0.15.3","0.15.5","0.16.0","0.16.3","0.16.5","0.17.0","0.17.2","0.17.8","0.18.2","0.19.1","0.20.0","0.20.5","0.20.8","0.21","0.21.2","0.21.5","0.21.6","0.21.8","0.21.9","0.22.0","0.22.1","0.22.10","0.22.2","0.22.4","0.22.6","0.22.8","0.23.1","0.23.10","0.23.2","0.23.3","0.23.5","0.23.7","0.23.8","0.23.9","0.24.0","0.24.1","0.24.2","0.24.3","0.24.5","0.24.6","0.24.7","0.7.2","0.8.3"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","id":"CVE-2026-25627-01d9a249","deprecated":false,"source":"https://github.com/nanomq/nanonng/commit/b9d7c50427cf08f7d2bfc3a14fc6491240c22f06","digest":{"length":3078,"function_hash":"309800913491873718124619074714334176675"},"target":{"file":"src/sp/protocol/mqtt/nmq_mqtt.c","function":"nano_pipe_timer_cb"},"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-25627-f1faa686","deprecated":false,"source":"https://github.com/nanomq/nanonng/commit/b9d7c50427cf08f7d2bfc3a14fc6491240c22f06","digest":{"line_hashes":["52562837256524356327979993874596151648","192511616185809487929499117343456329477","1125814297372660828841871265074305995","322686954350396477348038069631681542925","117308866211255878266283609353135917503","174595936490344061058538576242768505128","96173850441383276239143372226062820140","59098854081215189807874004779527460270","125543837073636808857060092663348847360","131610742232146028047136284818114405067","194675470649278745767877745860319467323","335306372526313889534346190873415443118","139085051258049829016987244527376804431","198744605669538066734640835335895752507","239192328744363590105831171240361118438","128466653431523298641189769365754001632","129993062006050832439492113501032675515","305196029766787679083459384973036067915","53247758151439035977572146045762749174","44001474533754174300665999998854744659","23492775416397180696561318164231258214"],"threshold":0.9},"target":{"file":"src/sp/protocol/mqtt/nmq_mqtt.c"},"signature_type":"Line"}],"vanir_signatures_modified":"2026-04-12T20:23:13Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25627.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}