CVE-2026-32135 Overview
CVE-2026-32135 is a heap buffer overflow vulnerability affecting NanoMQ MQTT Broker, an all-around Edge Messaging Platform developed by EMQ Technologies. The vulnerability exists in the uri_param_parse function of NanoMQ's REST API, where an off-by-one error during memory allocation for query parameter keys and values allows an attacker to write a null byte beyond the allocated buffer boundary. This flaw can be triggered remotely via a crafted HTTP request, potentially leading to denial of service conditions.
Critical Impact
Remote attackers can exploit this heap buffer overflow via network-accessible REST API endpoints to cause service disruption. The vulnerability requires no authentication or user interaction to exploit.
Affected Products
- emqx nanomq versions prior to 0.24.11
Discovery Timeline
- 2026-04-20 - CVE CVE-2026-32135 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-32135
Vulnerability Analysis
This heap buffer overflow vulnerability (CWE-122) occurs in the uri_param_parse function within NanoMQ's REST API handler. When processing HTTP requests containing query parameters, the function allocates memory for storing parameter keys and values. However, due to an off-by-one error in the allocation calculation, the buffer is allocated one byte short of what is actually needed to properly store the data including its null terminator.
The vulnerability is network-accessible, requiring no authentication or user interaction to trigger. An attacker with network access to the NanoMQ REST API can craft a malicious HTTP request that exploits this boundary condition, causing a null byte to be written beyond the allocated heap buffer. While the immediate impact is primarily availability-focused due to the limited single-byte overwrite, heap corruption vulnerabilities can sometimes lead to more severe exploitation scenarios depending on heap layout and memory allocator behavior.
Root Cause
The root cause is an off-by-one error in memory allocation within the uri_param_parse function. When calculating the required buffer size for query parameter keys and values, the code fails to account for the null terminator byte, resulting in a buffer that is one byte too small. This classic off-by-one vulnerability allows the subsequent string copy operation to write the null terminator beyond the allocated buffer boundary, corrupting adjacent heap metadata or data.
Attack Vector
The attack vector is network-based, targeting the REST API endpoint exposed by NanoMQ. An attacker can exploit this vulnerability by:
- Identifying a network-accessible NanoMQ instance with REST API enabled
- Crafting an HTTP GET request with specially constructed query parameters
- Sending the malicious request to trigger the heap buffer overflow in uri_param_parse
- Causing service disruption through heap corruption
The patch addresses this issue by disabling the vulnerable /get_file endpoint:
.method = "GET",
.descr = "show broker aws_bridge configuration",
},
- {
- .path = "/get_file",
- .name = "get file content from path",
- .method = "GET",
- .descr = "To get config file content",
- },
+ // {
+ // .path = "/get_file",
+ // .name = "get file content from path",
+ // .method = "GET",
+ // .descr = "To get config file content",
+ // },
{
.path = "/configuration/",
.name = "set_broker_configuration",
Source: GitHub Commit Changes
Detection Methods for CVE-2026-32135
Indicators of Compromise
- Unexpected NanoMQ service crashes or restarts, particularly when REST API is actively used
- Abnormal HTTP requests to NanoMQ REST API endpoints with unusually long or malformed query parameters
- Heap corruption errors or segmentation faults in NanoMQ process logs
- Unusual network traffic patterns targeting NanoMQ REST API ports
Detection Strategies
- Monitor NanoMQ service stability and log files for unexpected crashes or memory-related errors
- Implement network intrusion detection rules to identify malformed HTTP requests targeting NanoMQ REST API
- Deploy application-level firewalls to inspect and filter requests to the /get_file endpoint and other REST API paths
- Use memory sanitizers during testing to detect heap overflow conditions
Monitoring Recommendations
- Enable verbose logging on NanoMQ instances to capture REST API request details
- Set up alerting for NanoMQ process crashes or automatic restarts
- Monitor system resources (memory usage, process state) for anomalies indicating exploitation attempts
- Implement log aggregation to correlate potential attack patterns across multiple NanoMQ instances
How to Mitigate CVE-2026-32135
Immediate Actions Required
- Upgrade NanoMQ to version 0.24.11 or later immediately
- If immediate upgrade is not possible, restrict network access to the NanoMQ REST API using firewall rules
- Disable REST API functionality if not required for operations
- Implement network segmentation to limit exposure of NanoMQ instances
Patch Information
EMQ Technologies has released version 0.24.11 of NanoMQ which patches this vulnerability. The fix involves disabling the vulnerable /get_file endpoint that was susceptible to the heap buffer overflow. Organizations should update to this patched version as soon as possible.
For detailed patch information, refer to:
Workarounds
- Disable the REST API feature entirely if not required by setting appropriate configuration options
- Use firewall rules to restrict access to NanoMQ REST API ports from untrusted networks
- Deploy a reverse proxy with request validation in front of NanoMQ to filter potentially malicious requests
- Implement network access control lists (ACLs) to limit which hosts can communicate with NanoMQ REST API
# Example: Restrict REST API access using iptables
iptables -A INPUT -p tcp --dport 8081 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
