Vulnerabilities ›

CVE-2026-32135

High ⚡ Exploit Available

CWE-122 — Weakness Type

                    Published: Apr 20, 2026                      ·  Modified: Apr 27, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.

🤖 AI Executive Summary

NanoMQ MQTT Broker versions before 0.24.11 contain a heap buffer overflow vulnerability in the REST API's uri_param_parse function due to an off-by-one memory allocation error. Remote attackers can exploit this via crafted HTTP requests to write beyond allocated buffers, potentially achieving code execution.

📄 Description (Arabic)

تحتوي نسخ NanoMQ السابقة للإصدار 0.24.11 على ثغرة تجاوز ذاكرة heap في واجهة REST API بسبب خطأ off-by-one في تخصيص الذاكرة لمفاتيح وقيم معاملات الاستعلام. يمكن للمهاجمين البعيدين تفعيل هذه الثغرة عبر طلبات HTTP مصنوعة بعناية تحتوي على معاملات استعلام خاصة.

🤖 ملخص تنفيذي (AI)

إصدارات NanoMQ MQTT Broker السابقة للإصدار 0.24.11 تحتوي على ثغرة تجاوز ذاكرة heap في دالة uri_param_parse بواسطة خطأ off-by-one في تخصيص الذاكرة. يمكن للمهاجمين البعيدين استغلال هذا عبر طلبات HTTP مصنوعة بعناية.

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 13:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

energy government telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1499 T1203

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade NanoMQ to version 0.24.11 or later. If immediate patching is not possible, restrict HTTP access to the REST API through network segmentation and firewall rules, disable the REST API if not required, and monitor for suspicious HTTP requests with unusual query parameters.

🔧 خطوات المعالجة (العربية)

قم بترقية NanoMQ إلى الإصدار 0.24.11 أو أحدث فوراً. إذا لم يكن الترقية فوراً ممكناً، قيّد الوصول إلى REST API عبر تقسيم الشبكة وقواعد جدار الحماية، عطّل REST API إذا لم يكن مطلوباً، وراقب الطلبات المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 A.14.2.1

🔵 SAMA CSF

ID.RA-1 PR.IP-12

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1 A.14.2.5

🔗 References & Sources 3

🔗

https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394

security-advisories@github.com

Patch

🔗

https://github.com/nanomq/nanomq/issues/2247

security-advisories@github.com

Issue Tracking

🔗

https://github.com/nanomq/nanomq/security/advisories/GHSA-6w96-9qw7-m599

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

emqx:nanomq

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-122

EPSS0.15%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-04-20

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available patch-available CWE-122

🏢 Vendor Advisories

🔗 https://github.com/nanomq/nanomq/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-32135

💬 Comments

Introduce Yourself

Sign In Required