CVE-2026-22040 - Vulnerability Details

- NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash

Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available.

Published: 2026-03-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free condition (CWE‑416) in NanoMQ 0.24.6. By sending a crafted traffic pattern that mixes high‑frequency publishes with rapid reconnects under the same ClientID and induces massive subscribe/unsubscribe churn, an attacker can trigger a heap‑memory corruption in the broker process. This corruption leads to the broker aborting with SIGABRT, effectively terminating the service and causing a denial of service for all clients.

Affected Systems

The weakness exists only in the NanoMQ MQTT Broker from the nanomq project, specifically version 0.24.6. No fixed version is currently available, so all deployments running this version are vulnerable. Until a patched release is issued, users should avoid running the affected edition.

Risk and Exploitability

The CVSS base score is 5.3, reflecting a moderate impact. EPSS is under 1 %, indicating a very low likelihood of exploitation in the wild at present. The vulnerability is not in the CISA KEV catalog. An attacker requires the ability to place MQTT traffic on the broker, so the path is remote but limited to clients with network reach to the broker. The lack of a publicly released fix means the priority for addressing the issue is to implement mitigation controls rather than rely on patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nanomq

affected

Version	Status	Constraints
`= 0.24.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nanomq

100%

Version	Status	Scheme	Platform
`0.24.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Limit publish and reconnect rates for every client, especially those that reuse the same ClientID, to prevent the trigger pattern.
Enforce unique ClientID usage and disallow concurrent reuse of the same identifier.
Set up monitoring of broker logs for SIGABRT crashes and configure alerts for rapid restart events.
Once a patched version of NanoMQ is released, upgrade the broker immediately.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r

History

Wed, 18 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Emqx Emqx nanomq
CPEs		cpe:2.3:a:emqx:nanomq::::::::
Vendors & Products		Emqx Emqx nanomq

Thu, 05 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nanomq Nanomq nanomq
Vendors & Products		Nanomq Nanomq nanomq

Wed, 04 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available.
Title		NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash
Weaknesses		CWE-416
References		https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Emqx Nanomq

Nanomq Nanomq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-04T21:55:11.238Z

Updated: 2026-03-05T15:42:26.352Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22040

Vulnrichment

Updated: 2026-03-05T15:29:17.896Z

NVD

Status : Analyzed

Published: 2026-03-04T22:16:17.300

Modified: 2026-03-18T16:09:07.133

Link: CVE-2026-22040

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object