Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25627

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 2 weeks, 4 days ago

nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x x_refsource_CONFIRM
https://github.com/nanomq/NanoNNG/pull/1405 x_refsource_MISC
https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e x_refsource_MISC
https://github.com/nanomq/nanomq/releases/tag/0.24.8 x_refsource_MISC

Affected products

nanomq

==< 0.24.8

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11
nixos-25.11 0.24.10
- nixos-25.11-small 0.24.10
- nixpkgs-25.11-darwin 0.24.10

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers