CVE-2024-42646 – A segmentation fault vulnerability in NanoMQ v0... (How to Fix)

Q: What is the severity of CVE-2024-42646?

CVE-2024-42646 has a CVSS score of 7.5 (HIGH). A segmentation fault vulnerability in NanoMQ v0.21.10 allows attackers to cause Denial of Service (DoS) by sending specially crafted messages. This affects systems running vulnerable versions of NanoMQ MQTT broker, potentially disrupting IoT and messaging services.

📋 TL;DR

A segmentation fault vulnerability in NanoMQ v0.21.10 allows attackers to cause Denial of Service (DoS) by sending specially crafted messages. This affects systems running vulnerable versions of NanoMQ MQTT broker, potentially disrupting IoT and messaging services.

💻 Affected Systems

Products:

NanoMQ

Versions: v0.21.10

Operating Systems: All platforms running NanoMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Any NanoMQ instance processing MQTT messages is vulnerable regardless of configuration.

📦 What is this software?

Nanomq by Emqx

View all CVEs affecting Nanomq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of NanoMQ broker, disrupting all MQTT communications and dependent IoT/messaging applications until service restart.

🟠

Likely Case

Service crash requiring manual restart, causing temporary disruption to MQTT message processing and client connections.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH - Internet-facing NanoMQ instances are directly exposed to crafted attack traffic.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Crafted MQTT messages can trigger segmentation fault without authentication. Proof-of-concept details available in public bug report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.21.11 or later

Vendor Advisory: https://github.com/nanomq/nanomq

Restart Required: Yes

Instructions:

1. Check current version with 'nanomq --version'. 2. Update to v0.21.11+ via package manager or source compilation. 3. Restart NanoMQ service.

🔧 Temporary Workarounds

Network Filtering

all

Implement network-level filtering to block suspicious MQTT traffic patterns

Rate Limiting

all

Apply rate limiting to MQTT connections to reduce attack surface

🧯 If You Can't Patch

Isolate NanoMQ instances behind firewalls with strict ingress filtering
Implement automated monitoring and alerting for service crashes with auto-restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check if running NanoMQ v0.21.10 with 'nanomq --version' or equivalent package manager command

Check Version:

nanomq --version

Verify Fix Applied:

Confirm version is v0.21.11 or later and test with normal MQTT traffic

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
Unexpected NanoMQ process termination
Core dump files

Network Indicators:

Unusual MQTT message patterns
Rapid connection attempts with malformed packets

SIEM Query:

process_name="nanomq" AND (event_type="crash" OR error_message="segmentation fault")

📊 Metadata

CVE ID: CVE-2024-42646

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: July 14, 2025

Last Updated: July 16, 2025

🔗 References

https://github.com/nanomq/nanomq Product
https://github.com/songxpu/bug_report/blob/master/MQTT/NanoMQ/CVE-2024-42646.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42646, you might also want to check these: