Skip to main content

NanoMQ MQTT Broker CVE-2026-45151

| EUVD-2026-33429 LOW
NULL Pointer Dereference (CWE-476)
2026-05-29 GitHub_M
Null Pointer Dereference Denial Of Service Nanomq
2.9
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 20:34 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
2.9 (LOW)

DescriptionGitHub Advisory

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx.

AnalysisAI

Null pointer dereference in NanoMQ MQTT Broker 0.24.8 and earlier causes a denial-of-service condition via the QUIC transport layer. The function quic_stream_recv fails to return after completing an asynchronous I/O operation with an error when a substream is in reopen state, proceeding to lock c->mtx against a null substream pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed NanoMQ QUIC listener port
Delivery
Initiate QUIC connection with crafted stream lifecycle
Exploit
Force substream into reopen state via packet timing
Execution
Trigger quic_stream_recv on null substream pointer
Persist
Broker process crashes
Impact
MQTT service unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target NanoMQ deployment has MQTT-over-QUIC transport enabled and listening - this is not the default TCP MQTT configuration, meaning deployments using only standard TCP/TLS MQTT are not affected by this specific code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk is low-to-moderate in operational terms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the NanoMQ broker's QUIC listener sends a crafted sequence of QUIC stream packets designed to place a substream into the reopen state at a precise moment, then triggers the quic_stream_recv handler against the null substream pointer. The CVSS E:P metric indicates proof-of-concept code demonstrating this state manipulation exists. …
Remediation The primary remediation is to upgrade NanoMQ to a version beyond 0.24.8 that addresses this null pointer dereference; the exact patched release version should be confirmed via the vendor advisory at https://github.com/nanomq/nanomq/security/advisories/GHSA-9qhf-wgp4-p7w5, as the upstream fix version was not independently confirmed in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45151 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy