Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.
Published: 2026-05-29
Score: 4.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanoMQ, an MQTT broker for edge messaging, has a type confusion flaw in the QUIC dialer close path. During a connection establishment the internal pointer is stored as an nni_quic_conn*, but later the close routine interprets it as an ex_quic_conn*. The mismatch leads the broker to dereference an invalid object, causing the close operation to hang or crash the process. This results in a lossy denial‑of‑service condition for the broker but does not allow code execution or data exfiltration.

Affected Systems

The issue affects all NanoMQ releases older than 0.24.14, distributed by the nanomq vendor. There are no further vendor or product details beyond the NanoMQ package itself. Users on any platform running the affected broker should update.

Risk and Exploitability

The CVSS score of 4.5 places the vulnerability in the moderate range, while the EPSS score is not available, making the likelihood of exploitation uncertain. The vulnerability is not listed in CISA’s KEV catalog, and no public exploitation has been reported. The attack vector is inferred to be local or remote within the broker’s control plane, requiring an entity able to initiate or close QUIC connections. The known fix or upgrade to version 0.24.14 eliminates the flaw, negating the threat.

Generated by OpenCVE AI on May 29, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanoMQ to 0.24.14 or a later release so the type confusion logic is corrected
  • Ensure existing QUIC connections are cleanly closed before performing the upgrade to avoid accidental hangs
  • Restart the broker after the upgrade and monitor logs for any residual crash behavior

Generated by OpenCVE AI on May 29, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.
Title NanoMQ: QUIC Dialer Close Type Confusion
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T21:36:48.164Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44640

cve-icon Vulnrichment

Updated: 2026-05-29T21:35:45.630Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:24.983

Modified: 2026-05-29T22:16:23.613

Link: CVE-2026-44640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:00:09Z

Weaknesses