SB20260424163 - Multiple vulnerabilities in NanoMQ

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2026-25627)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in ws_msg_adaptor() in nng/src/sp/transport/mqttws/nmq_websocket.c when processing MQTT packets over the WebSocket listener. A remote user can send a specially crafted MQTT packet with a large Remaining Length and a shorter actual payload to cause a denial of service.

Triggering the issue requires sending a malformed PUBLISH message after a valid CONNECT over the MQTT-over-WebSocket transport.

2) Out-of-bounds read (CVE-ID: CVE-2026-34608)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in hook_work_cb() in webhook_inproc.c when parsing an nng message body with cJSON_Parse(). A remote privileged user can send a specially crafted PUBLISH message to cause a denial of service.

Exploitation requires the webhook feature to be enabled, and the issue is reliably triggered with a power-of-two JSON payload length of at least 1024 bytes.

Remediation

Install update from vendor's website.

References

• https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x
• https://github.com/advisories/GHSA-w4rh-v3h2-j29x
• https://github.com/nanomq/nanomq/security/advisories/GHSA-8p57-jxj9-3qq3
• https://github.com/advisories/GHSA-8p57-jxj9-3qq3