VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 10, 2026

CVE-2026-46411

CVE-2026-46411

Description

FlashMQ versions prior to 1.26.2 are vulnerable to a server crash caused by authorized clients exceeding write buffer limits, leading to an uncatchable exception.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlashMQ versions prior to 1.26.2 are vulnerable to a server crash caused by authorized clients exceeding write buffer limits, leading to an uncatchable exception.

Vulnerability

FlashMQ versions prior to 1.26.2 are affected by an issue where authorized clients can exceed their permitted write buffer over-commit. This triggers an internal safeguard exception that is not catchable, resulting in a server abort. The vulnerability exists in the AckSender class and is related to handling PUBACK messages [1].

Exploitation

An authenticated client can exploit this vulnerability by sending messages that cause their write buffer to exceed its allocated limit. This action triggers the uncatchable exception, leading to the server's termination. No specific user interaction or complex attack vectors are described, implying that a client with basic publishing capabilities could trigger this [3].

Impact

Successful exploitation of this vulnerability results in a denial of service, as the FlashMQ server will abort and become unavailable. The impact is limited to the availability of the MQTT broker, with no disclosed impact on confidentiality or integrity of data [3].

Mitigation

This vulnerability has been fixed in FlashMQ version 1.26.2, released on June 10, 2026 [2]. Users are advised to upgrade to version 1.26.2 or later to address this issue.

References
  1. Fix uncatchable exception (buffer full) in sending PUBACKs · halfgaar/FlashMQ@29e08f7
  2. Release FlashMQ 1.26.2 · halfgaar/FlashMQ
  3. Client can trigger uncaught exception on FlashMQ 1.26.1 and older

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Halfgaar/Flashmqreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <1.26.2

Patches

1
29e08f7b97b6

Fix uncatchable exception (buffer full) in sending PUBACKs

https://github.com/halfgaar/flashmqWiebe CazemierMay 4, 2026via nvd-ref
commit
3 files changed · +21 15
  • acksender.cpp+7 6 modified
    @@ -13,23 +13,24 @@ See LICENSE for license details.
 #include "mqttpacket.h"
 #include "client.h"
 
-AckSender::AckSender(uint8_t qos, uint16_t packetId, ProtocolVersion protocolVersion, std::shared_ptr<Client> &client) :
+AckSender::AckSender(uint8_t qos, uint16_t packetId, ProtocolVersion protocolVersion) :
     qos(qos),
     packetId(packetId),
-    protocolVersion(protocolVersion),
-    client(client)
+    protocolVersion(protocolVersion)
 {
 
 }
 
 AckSender::~AckSender()
 {
-    if (!sent)
-        sendNow();
+    assert(sent);
 }
 
-void AckSender::sendNow()
+void AckSender::sendNow(Client *client)
 {
+    if (sent)
+        return;
+
     this->sent = true;
 
     if (qos == 0)
  • acksender.h+8 5 modified
    @@ -17,18 +17,21 @@ See LICENSE for license details.
 
 class AckSender
 {
-    uint8_t qos;
-    uint16_t packetId;
+    uint8_t qos {};
+    uint16_t packetId {};
     ProtocolVersion protocolVersion = ProtocolVersion::None;
-    std::shared_ptr<Client> &client;
     ReasonCodes ackCode = ReasonCodes::Success;
     bool sent = false;
 public:
     AckSender(const AckSender &other) = delete;
     AckSender(AckSender &&other) = delete;
-    AckSender(uint8_t qos, uint16_t packetId, ProtocolVersion protocolVersion, std::shared_ptr<Client> &client);
+    AckSender() = delete;
+    AckSender &operator=(const AckSender&) = delete;
+    AckSender &operator=(AckSender&&) = delete;
+
+    AckSender(uint8_t qos, uint16_t packetId, ProtocolVersion protocolVersion);
     ~AckSender();
-    void sendNow();
+    void sendNow(Client *client);
     void setAckCode(ReasonCodes ackCode);
 };
  • mqttpacket.cpp+6 4 modified
    @@ -2173,7 +2173,7 @@ void MqttPacket::handlePublish(std::shared_ptr<Client> &sender)
     const uint16_t _packet_id = this->packet_id;
 
     // Stage the ack, with the proper ID.
-    AckSender ackSender(this->publishData.qos, this->packet_id, this->protocolVersion, sender);
+    AckSender ackSender(this->publishData.qos, this->packet_id, this->protocolVersion);
 
     if (publishData.retain && settings->retainedMessagesMode == RetainedMessagesMode::DisconnectWithError)
     {
@@ -2188,7 +2188,7 @@ void MqttPacket::handlePublish(std::shared_ptr<Client> &sender)
         }
         else if (sender->getMqtt3QoSExceedAction() == Mqtt3QoSExceedAction::Drop)
         {
-            ackSender.sendNow();
+            ackSender.sendNow(sender.get());
         }
     }
     else if (publishData.qos == 2 && sender->getSession()->incomingQoS2MessageIdInTransit(_packet_id))
@@ -2243,13 +2243,13 @@ void MqttPacket::handlePublish(std::shared_ptr<Client> &sender)
                 first_byte = bites[0];
 
                 PublishCopyFactory factory(this);
-                ackSender.sendNow();
+                ackSender.sendNow(sender.get());
                 globals->subscriptionStore->queuePacketAtSubscribers(factory, sender->getClientId(), sender->getFmqClientGroupId());
             }
         }
         else if (authResult == AuthResult::success_but_drop_publish)
         {
-            ackSender.sendNow();
+            ackSender.sendNow(sender.get());
         }
         else
         {
@@ -2264,6 +2264,8 @@ void MqttPacket::handlePublish(std::shared_ptr<Client> &sender)
     if (publishData.qos > 0)
         this->setPacketId(0);
 #endif
+
+    ackSender.sendNow(sender.get());
 }
 
 void MqttPacket::parsePubAckData()

Vulnerability mechanics

Root cause

"An internal safe-guard exception related to buffer over-commit was not catchable, leading to a server abort."

Attack vector

An authorized client can exceed the permitted over-commit of their write buffer. This action triggers an internal exception that the server cannot catch, resulting in a crash. The vulnerability is triggered by sending a message that overloads the write buffer, specifically when handling PUBACKs [ref_id=1].

Affected code

The vulnerability lies within the `AckSender` class, specifically in its destructor and the `sendNow` method. The changes in the patch involve modifications to the constructor and the `sendNow` method signature, as well as the addition of an assertion in the destructor [ref_id=1]. The `MqttPacket::handlePublish` function was also updated to correctly call the modified `sendNow` method [ref_id=1].

What the fix does

The patch modifies the `AckSender` class to ensure that the `sent` flag is asserted before the destructor is called, preventing the uncatchable exception. Additionally, the `sendNow` method now accepts a `Client*` argument, allowing it to be called correctly within the `MqttPacket::handlePublish` function, thus avoiding the server abort [ref_id=1].

Preconditions

  • authThe client must be authorized.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.