Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.
Published: 2026-05-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanoMQ MQTT Broker can crash when a NULL pointer is dereferenced inside the tcptran_pipe_peer function during session resumption for clean_start=0 clients, a condition triggered by high‑concurrency reconnect traffic using a reconnect‑collision payload. The vulnerability does not provide privilege escalation or data exfiltration; it simply terminates the broker process, leading to a service interruption. The weakness is a classic NULL pointer dereference, classified as CWE‑476.

Affected Systems

The affected products are NanoMQ from the NanoNNG and nanomq projects. Versions 0.24.10 and earlier are vulnerable; the issue is resolved in 0.24.11 and newer releases.

Risk and Exploitability

With a CVSS score of 5.9, the vulnerability is considered moderate. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring an unauthenticated client to initiate many reconnection attempts in a race condition; therefore, it is most effective against environments where high‑concurrency reconnect traffic is possible. The risk is limited to service availability, but it can disrupt critical edge messaging traffic.

Generated by OpenCVE AI on May 19, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanoMQ to version 0.24.11 or later, which removes the NULL pointer dereference in tcptran_pipe_peer.
  • If an upgrade cannot be performed immediately, configure the broker or network to throttle or limit concurrent reconnect attempts from clients to reduce the race‑condition window.
  • Monitor broker logs for sudden crash events and set up alerts to detect potential DoS incidents early.

Generated by OpenCVE AI on May 19, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.
Title NanoMQ: NULL Pointer Dereference Crash in tcptran_pipe_peer During Session Restore
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T18:01:45.428Z

Reserved: 2026-03-10T22:19:36.546Z

Link: CVE-2026-32134

cve-icon Vulnrichment

Updated: 2026-05-19T17:57:26.470Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T18:16:21.147

Modified: 2026-05-19T21:08:09.430

Link: CVE-2026-32134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:00:11Z

Weaknesses