Skip to main content

NanoMQ CVE-2026-44640

| EUVD-2026-33428 MEDIUM
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-05-29 GitHub_M
Memory Corruption Denial Of Service Nanomq
4.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:35 vuln.today

DescriptionGitHub Advisory

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.

AnalysisAI

Type confusion in NanoMQ MQTT Broker's QUIC dialer close path allows a local attacker with high complexity to cause the broker process to hang or crash. Versions prior to 0.24.14 store a pointer as nni_quic_conn* during dialing but later misread that same memory location as ex_quic_conn* during dialer close, producing invalid object interpretation across mismatched struct layouts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to NanoMQ host
Delivery
Initiate QUIC dialer connection to broker
Exploit
Trigger connection close sequence at vulnerable timing
Execution
aio->prov_data misread as ex_quic_conn* causes invalid memory interpretation
Impact
Broker process hangs or crashes (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the host running NanoMQ (AV:L) - remote unauthenticated triggering is not possible per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.5 (Medium) accurately reflects a constrained threat profile: local access vector (AV:L), high attack complexity (AC:H), and required user interaction (UI:R) collectively mean this vulnerability cannot be triggered remotely or trivially. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user or process on the NanoMQ host initiates a QUIC-based MQTT dial operation and then triggers the connection close sequence under conditions that exercise the mistyped pointer dereference in `aio->prov_data`. The broker interprets the `nni_quic_conn*` memory as an `ex_quic_conn*` struct, accesses an incorrect field offset, and either enters an infinite hang or faults, crashing the broker process. …
Remediation The primary and recommended fix is to upgrade NanoMQ to version 0.24.14 or later, which corrects the type confusion in the QUIC dialer close path. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44640 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy