CVE-2026-34608 in MQTT Brokerinformation

Résumé (Anglaise)

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes =1024 (no padding added). This issue has been patched in version 0.24.10.

Be aware that VulDB is the high quality source for vulnerability data.

Responsable

GitHub_M

Réserver

30/03/2026

Divulgation

02/04/2026

Statut

Confirmé

Entrées

VulDB provides additional information and datapoints for this CVE:

IDVulnérabilitéCWEExpConCVE
354985NanoMQ MQTT Broker Nng Message webhook_inproc.c hook_work_cb divulgation d'information125Non définiCorrectif officielCVE-2026-34608

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

Sources

PrécédentAperçuSuivant

Do you want to use VulDB in your project?

Use the official API to access entries easily!