Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.
AnalysisAI
Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.
Technical ContextAI
NanoMQ is an edge MQTT broker built on top of NanoNNG, its underlying messaging transport library. The defect resides in three transport implementations within NanoNNG: broker_tcp.c (tcptran_pipe_peer), broker_tls.c (tlstran_pipe_peer), and nmq_websocket.c (wstran_pipe_peer) - covering TCP, TLS, and WebSocket MQTT transports respectively. During session resumption for a persistent MQTT session (clean_start=0), the pipe_peer() function copies subscription metadata from a cached 'old pipe' (cpipe) to the new reconnecting pipe (npipe). The original code guarded only cpipe->subinfol for NULL before iterating it, but not npipe->subinfol. Under a high-concurrency reconnect-collision scenario, npipe->subinfol can be freed and nullified between the NULL check on cpipe and the actual data copy into npipe, triggering a CWE-476 NULL Pointer Dereference. The fix (NanoNNG commit 522ec62e) adds a conjunctive null guard: if (cpipe->subinfol != NULL && npipe->subinfol != NULL) across all three transport files, closing the race window. Both CPE strings cpe:2.3:a:nanomq:nanomq and cpe:2.3:a:nanomq:nanonng are affected, reflecting the split between the broker application and its transport library.
RemediationAI
Upgrade NanoMQ to version 0.24.11, which contains the vendor-released patch. The release is available at https://github.com/nanomq/nanomq/releases/tag/0.24.11, and the underlying NanoNNG fix is in commit 522ec62e29e60d1122f2aedaa6e702dcf089f7bb at https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb. If immediate upgrade is not feasible, consider the following specific compensating controls: restrict MQTT client connection policies to enforce clean_start=1 on all clients, eliminating persistent session resumption entirely and removing the vulnerable code path (trade-off: clients lose persistent subscriptions and queued messages on reconnect); apply network-layer rate limiting on the MQTT port (default 1883/TCP and 8883/TLS) to prevent the high-concurrency reconnect volume required to trigger the race condition (trade-off: may impact legitimate reconnect bursts from large fleets); or deploy NanoMQ behind a reverse proxy or MQTT load balancer that enforces per-client reconnect throttling. The vendor security advisory should be consulted for any additional guidance at https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2.
NanoMQ 0.17.5 has a one-byte heap-based buffer over-read in the conn_handler function of mqtt_parser.c when it processes
CVE-2024-42646 is a segmentation fault vulnerability in NanoMQ v0.21.10 that allows unauthenticated remote attackers to
Null Pointer Dereference vulnerability in topic_filtern function in mqtt_parser.c in NanoMQ 0.21.7 allows attackers to c
A use-after-free vulnerability exists in NanoMQ 0.17.2. Rated high severity (CVSS 7.5), this vulnerability is remotely e
A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. Rated high severity (CVSS 7.5), this vulnerability is remo
A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. Rated high severity (CVSS 7.5), this vulnerability is remo
A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. Rated high severity (CVSS 7.5), this vulnerability is remo
In NanoMQ v0.15.0-0, segment fault with Null Pointer Dereference occurs in the process of decoding subinfo_decode and un
In NanoMQ v0.15.0-0, a Heap overflow occurs in copyn_utf8_str function of mqtt_parser.c. Rated high severity (CVSS 7.5),
In NanoMQ v0.15.0-0, Heap overflow occurs in read_byte function of mqtt_code.c. Rated high severity (CVSS 7.5), this vul
A heap-buffer-overflow vulnerability in the read_byte function in NanoMQ v.0.21.7 allows attackers to cause a denial of
NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30965