CVE-2026-46411
Received Received - Intake
FlashMQ MQTT Broker Write Buffer Over-Commit Denial of Service

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46411
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
halfgaar flashmq to 1.26.2 (exc)
halfgaar flashmq 1.26.2
halfgaar flashmq From 1.26.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46411 is a vulnerability in FlashMQ, an MQTT broker/server. Before version 1.26.2, authorized clients could exceed the allowed over-commit of their write buffer, which would trigger an internal exception that could not be caught. This uncatchable exception causes the server to abort unexpectedly, leading to a crash.

The issue arises when clients flood the server with specific control packets, causing a buffer overflow and triggering the exception in a part of the code that does not handle it properly. This vulnerability was fixed in FlashMQ version 1.26.2 by introducing explicit limits on buffer over-commit and modifying the internal handling of packet sending to prevent uncatchable exceptions.

Impact Analysis

This vulnerability primarily impacts the availability of the FlashMQ server. An attacker who is an authorized client can cause the server to crash by sending a large number of specific control packets that exceed the write buffer limits.

Because the exception triggered by this buffer over-commit is uncatchable, the server aborts unexpectedly, resulting in downtime or denial of service. The vulnerability does not affect confidentiality or integrity, but it can disrupt service availability.

The attack vector is network-based, requires low attack complexity, and no user interaction, making it relatively easy for an authorized client to exploit.

Detection Guidance

There are no specific detection commands or methods provided in the available resources to identify this vulnerability on your network or system.

The vulnerability involves authorized clients exceeding their permitted write buffer over-commit, causing an uncatchable internal exception and server abort. Detection would likely require monitoring for server crashes or abnormal termination related to buffer overflows during MQTT PUBACK packet handling.

Mitigation Strategies

The primary mitigation step is to upgrade FlashMQ to version 1.26.2 or later, where the vulnerability has been patched.

No workarounds are available, so applying the official update is necessary to prevent server crashes caused by this issue.

Compliance Impact

The vulnerability CVE-2026-46411 affects the availability of the FlashMQ server by causing an uncatchable exception that leads to server aborts. It does not impact confidentiality or integrity of data.

Since the vulnerability does not affect confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, the impact on availability could affect service continuity obligations under these regulations if the MQTT broker is part of a critical system handling regulated data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart