CVE-2026-42209: FlashMQ MQTT Broker DoS Vulnerability

CVE-2026-42209 Overview

CVE-2026-42209 is a denial of service vulnerability in FlashMQ, an MQTT broker designed for multi-CPU environments. Versions prior to 1.26.1 contain a division by zero flaw [CWE-369] in the retained message handling logic. A remote client with retained publish permission can crash the broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values. If anonymous retained publishing is allowed, no authentication is required to trigger the crash. The issue has been patched in FlashMQ version 1.26.1.

Critical Impact
A single MQTT PUBLISH message with the retain flag can crash the FlashMQ broker, disrupting all connected clients and MQTT-based messaging across the affected deployment.

Affected Products

FlashMQ MQTT broker versions prior to 1.26.1
Deployments configured with non-default set_retained_message_defer_timeout values
Deployments configured with non-default set_retained_message_defer_timeout_spread values

Discovery Timeline

2026-05-08 - CVE-2026-42209 published to NVD
2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42209

Vulnerability Analysis

The vulnerability resides in the trySetRetainedMessages function within subscriptionstore.cpp. FlashMQ uses a deferred timeout mechanism to spread retained message processing load across worker threads. The implementation calls td->randomish() % settings->setRetainedMessageDeferTimeoutSpread.count() to compute a randomized spread value. When the administrator configures setRetainedMessageDeferTimeoutSpread to zero while setRetainedMessageDeferTimeout remains non-default, the modulo operation divides by zero. The resulting SIGFPE signal terminates the broker process, severing all active MQTT sessions.

Root Cause

The root cause is missing input validation before a modulo operation [CWE-369]. The code assumes the spread configuration value is always greater than zero. No guard clause checks the divisor before the arithmetic operation. Any client authorized to publish retained messages, or any unauthenticated client when anonymous retained publishing is enabled, can trigger the code path and reliably crash the broker.

Attack Vector

The attacker connects to the FlashMQ broker over the network and issues a single MQTT PUBLISH packet with the retain flag set. Processing this message routes execution through trySetRetainedMessages, where the division by zero terminates the process. The attack requires no memory corruption primitives, no race condition, and no special tooling beyond a standard MQTT client.

cpp

     if (td->queuedRetainedMessagesEmpty() && setRetainedMessage(publish, subtopics, try_lock_fail))
         return;
 
-    const std::chrono::milliseconds spread(td->randomish() % settings->setRetainedMessageDeferTimeoutSpread.count());
-    std::chrono::time_point<std::chrono::steady_clock> limit = std::chrono::steady_clock::now() + settings->setRetainedMessageDeferTimeout + spread;
+    auto spread {settings->setRetainedMessageDeferTimeoutSpread};
+
+    if (spread != std::chrono::milliseconds::zero())
+    {
+        const int64_t rnd = static_cast<uint32_t>(td->randomish());
+        spread = std::chrono::milliseconds{rnd % spread.count()};
+    }
+
+    const auto randomized_timeout = settings->setRetainedMessageDeferTimeout + spread;
+    std::chrono::time_point<std::chrono::steady_clock> limit = std::chrono::steady_clock::now() + randomized_timeout;
     td->queueSettingRetainedMessage(publish, subtopics, limit);
 }

The patch adds an explicit zero check before performing the modulo operation. Source: FlashMQ Commit 193b6e7

Detection Methods for CVE-2026-42209

Indicators of Compromise

Unexpected FlashMQ broker process termination with SIGFPE (signal 8) in system logs.
MQTT clients reporting sudden disconnections without graceful shutdown messages from the broker.
Core dump files generated by the FlashMQ process containing a stack trace referencing trySetRetainedMessages.
Repeated PUBLISH packets with the retain flag arriving from a single source immediately before broker crashes.

Detection Strategies

Monitor process supervision logs (systemd, supervisord) for repeated FlashMQ restart events correlated with inbound MQTT traffic.
Review FlashMQ configuration files for the combination of non-default set_retained_message_defer_timeout and zero or unset set_retained_message_defer_timeout_spread.
Inspect MQTT broker logs for retained PUBLISH messages preceding crash events to identify attacker source addresses.

Monitoring Recommendations

Enable broker availability monitoring with alerts on process exit codes indicating arithmetic exceptions.
Track MQTT connection counts and retained message publish rates to baseline normal behavior.
Aggregate FlashMQ logs into a centralized logging platform to correlate crashes with client activity.

How to Mitigate CVE-2026-42209

Immediate Actions Required

Upgrade FlashMQ to version 1.26.1 or later, which contains the official fix.
Audit broker configuration and remove non-default values for set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread until the upgrade is applied.
Disable anonymous retained publishing and require authentication for clients with publish permissions.
Restrict broker network exposure to trusted clients using firewall rules or VPN segmentation.

Patch Information

The vulnerability is patched in FlashMQ version 1.26.1. Refer to the GitHub Security Advisory GHSA-2789-vfcg-5922 and the v1.26.1 Release Notes for upgrade details. The fix commit is available at commit 193b6e7. Additional discussion is documented in GitHub Issue 167.

Workarounds

Revert set_retained_message_defer_timeout_spread to its default value to avoid the vulnerable code path.
Revoke retained publish permissions from untrusted MQTT users via Access Control List (ACL) configuration.
Deploy a process supervisor configured to restart FlashMQ automatically while remediation is in progress.

bash

# Configuration example - safe FlashMQ settings until patched
# In flashmq.conf, ensure spread is not set or matches default:
# set_retained_message_defer_timeout 0
# set_retained_message_defer_timeout_spread 0

# Disable anonymous publishing
allow_anonymous false

# Restrict retained publishing via ACL
# In flashmq_acls.conf:
# user trusted_publisher
# topic write sensors/#

CVE-2026-42209 Overview

Critical Impact
A single MQTT PUBLISH message with the retain flag can crash the FlashMQ broker, disrupting all connected clients and MQTT-based messaging across the affected deployment.

Affected Products

FlashMQ MQTT broker versions prior to 1.26.1
Deployments configured with non-default set_retained_message_defer_timeout values
Deployments configured with non-default set_retained_message_defer_timeout_spread values

Discovery Timeline

2026-05-08 - CVE-2026-42209 published to NVD
2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42209

Vulnerability Analysis

Root Cause

Attack Vector

cpp

     if (td->queuedRetainedMessagesEmpty() && setRetainedMessage(publish, subtopics, try_lock_fail))
         return;
 
-    const std::chrono::milliseconds spread(td->randomish() % settings->setRetainedMessageDeferTimeoutSpread.count());
-    std::chrono::time_point<std::chrono::steady_clock> limit = std::chrono::steady_clock::now() + settings->setRetainedMessageDeferTimeout + spread;
+    auto spread {settings->setRetainedMessageDeferTimeoutSpread};
+
+    if (spread != std::chrono::milliseconds::zero())
+    {
+        const int64_t rnd = static_cast<uint32_t>(td->randomish());
+        spread = std::chrono::milliseconds{rnd % spread.count()};
+    }
+
+    const auto randomized_timeout = settings->setRetainedMessageDeferTimeout + spread;
+    std::chrono::time_point<std::chrono::steady_clock> limit = std::chrono::steady_clock::now() + randomized_timeout;
     td->queueSettingRetainedMessage(publish, subtopics, limit);
 }

The patch adds an explicit zero check before performing the modulo operation. Source: FlashMQ Commit 193b6e7

Detection Methods for CVE-2026-42209

Indicators of Compromise

Unexpected FlashMQ broker process termination with SIGFPE (signal 8) in system logs.
MQTT clients reporting sudden disconnections without graceful shutdown messages from the broker.
Core dump files generated by the FlashMQ process containing a stack trace referencing trySetRetainedMessages.
Repeated PUBLISH packets with the retain flag arriving from a single source immediately before broker crashes.

Detection Strategies

Monitor process supervision logs (systemd, supervisord) for repeated FlashMQ restart events correlated with inbound MQTT traffic.
Review FlashMQ configuration files for the combination of non-default set_retained_message_defer_timeout and zero or unset set_retained_message_defer_timeout_spread.
Inspect MQTT broker logs for retained PUBLISH messages preceding crash events to identify attacker source addresses.

Monitoring Recommendations

Enable broker availability monitoring with alerts on process exit codes indicating arithmetic exceptions.
Track MQTT connection counts and retained message publish rates to baseline normal behavior.
Aggregate FlashMQ logs into a centralized logging platform to correlate crashes with client activity.

How to Mitigate CVE-2026-42209

Immediate Actions Required

Upgrade FlashMQ to version 1.26.1 or later, which contains the official fix.
Audit broker configuration and remove non-default values for set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread until the upgrade is applied.
Disable anonymous retained publishing and require authentication for clients with publish permissions.
Restrict broker network exposure to trusted clients using firewall rules or VPN segmentation.

Patch Information

Workarounds

Revert set_retained_message_defer_timeout_spread to its default value to avoid the vulnerable code path.
Revoke retained publish permissions from untrusted MQTT users via Access Control List (ACL) configuration.
Deploy a process supervisor configured to restart FlashMQ automatically while remediation is in progress.

bash

# Configuration example - safe FlashMQ settings until patched
# In flashmq.conf, ensure spread is not set or matches default:
# set_retained_message_defer_timeout 0
# set_retained_message_defer_timeout_spread 0

# Disable anonymous publishing
allow_anonymous false

# Restrict retained publishing via ACL
# In flashmq_acls.conf:
# user trusted_publisher
# topic write sensors/#

CVE-2026-42209: FlashMQ MQTT Broker DoS Vulnerability

CVE-2026-42209 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-42209

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-42209

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-42209

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-42209: FlashMQ MQTT Broker DoS Vulnerability

CVE-2026-42209 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-42209

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-42209

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-42209

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform