CVE-2026-42209
Received Received - Intake
Denial of Service in FlashMQ MQTT Broker via Retained Message Handling

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-09
EPSS Evaluated
N/A
NVD
CVE-2026-42209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flashmq flashmq to 1.26.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a remote client with retained publish permission to crash the FlashMQ broker, resulting in a denial of service. It does not directly impact confidentiality or integrity of data, but availability is affected.

Since the vulnerability leads to denial of service without compromising data confidentiality or integrity, its impact on compliance with standards like GDPR or HIPAA is indirect and primarily related to availability requirements.

However, the provided information does not specify any direct effects on compliance with GDPR, HIPAA, or other regulations.


Can you explain this vulnerability to me?

This vulnerability affects FlashMQ, a MQTT broker/server designed for multi-CPU environments. Before version 1.26.1, a remote client with retained publish permission can cause the FlashMQ broker to crash if both the set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread settings are configured to non-default values. This crash results in a denial of service condition. If anonymous retained publishing is allowed, the attacker does not need to authenticate; otherwise, the attacker must have the appropriate publish permission.


How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial of service (DoS) attack against the FlashMQ broker. An attacker can crash the broker remotely, disrupting the availability of the MQTT service. This can lead to interruptions in message delivery and potentially affect any systems or applications relying on the broker for communication.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade FlashMQ to version 1.26.1 or later, where the issue has been patched.

Additionally, if possible, avoid configuring both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread to non-default values simultaneously.

Also, consider restricting anonymous retained publishing to require authentication, reducing the risk of exploitation by unauthenticated attackers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart