The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21888

CVE-2026-21888: NanoMQ MQTT Broker Buffer Overflow Flaw

CVE-2026-21888 is a buffer overflow vulnerability in NanoMQ MQTT Broker caused by improper parsing of MQTT v5 Variable Byte Integers. This article covers technical details, affected versions, impact, and mitigation.

Published: March 13, 2026

CVE-2026-21888 Overview

CVE-2026-21888 is a high-severity out-of-bounds read vulnerability affecting NanoMQ MQTT Broker, an all-around Edge Messaging Platform. The vulnerability exists in the MQTT v5 Variable Byte Integer parsing implementation, specifically within the get_var_integer() function. This function accepts 5-byte variable integers without performing proper bounds checks, which can reliably trigger an out-of-bounds read and application crash when the software is built with AddressSanitizer (ASan). The vulnerability affects NanoMQ version 0.24.6 and earlier.

Critical Impact

Remote attackers can exploit this vulnerability to cause denial of service conditions against NanoMQ MQTT broker instances by sending specially crafted MQTT v5 packets containing malformed variable byte integers.

Affected Products

  • NanoMQ MQTT Broker version 0.24.6 and earlier
  • Systems running NanoMQ as an edge messaging platform
  • IoT deployments utilizing NanoMQ for MQTT messaging

Discovery Timeline

  • 2026-03-11 - CVE CVE-2026-21888 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-21888

Vulnerability Analysis

This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when software reads data past the boundary of an allocated buffer. In the context of NanoMQ, the parsing logic for MQTT v5 Variable Byte Integers fails to properly validate input boundaries before attempting to read memory.

The MQTT v5 protocol specification defines Variable Byte Integers as a compact encoding scheme that can represent values from 0 to 268,435,455 using between 1 and 4 bytes. Each byte uses the most significant bit as a continuation flag, with the remaining 7 bits contributing to the value. The NanoMQ implementation incorrectly accepts a 5-byte sequence, which violates the protocol specification and leads to reading beyond the intended buffer boundaries.

The impact includes potential information disclosure through memory content leakage, as well as reliable denial of service through application crashes. The network-accessible nature of MQTT services means this vulnerability can be exploited remotely without authentication.

Root Cause

The root cause lies in the get_var_integer() function within the NanoMQ codebase, which lacks proper validation of the Variable Byte Integer length. According to the MQTT v5 specification, variable byte integers must be encoded in a maximum of 4 bytes. However, the vulnerable implementation continues parsing beyond this boundary when presented with a malformed packet containing a 5-byte sequence with continuation bits set.

The absence of bounds checking allows an attacker to craft a packet that causes the parser to read memory beyond the allocated input buffer, resulting in either an out-of-bounds read that may leak sensitive memory contents or a crash when attempting to access unmapped memory regions.

Attack Vector

The attack can be executed remotely over the network by any client capable of establishing a connection to the NanoMQ MQTT broker. No authentication or special privileges are required to exploit this vulnerability.

An attacker would craft a malicious MQTT v5 packet containing a Variable Byte Integer field with more than 4 bytes, each with the continuation bit set. When the NanoMQ broker parses this packet, the get_var_integer() function reads beyond the allocated buffer, triggering the out-of-bounds read condition.

The vulnerability mechanism operates as follows: when a malformed MQTT v5 packet arrives at the broker, the parser attempts to decode variable-length integer fields. Without proper boundary validation, the parser continues reading bytes as long as continuation flags are present, eventually accessing memory beyond the packet buffer. For technical implementation details, refer to the GitHub Issue Discussion and the GitHub Security Advisory GHSA-cggc-6m7w-j7x5.

Detection Methods for CVE-2026-21888

Indicators of Compromise

  • Unexpected NanoMQ broker crashes or service restarts
  • Malformed MQTT v5 packets with oversized Variable Byte Integer fields (more than 4 bytes)
  • Connection attempts followed by immediate disconnections with error conditions
  • Memory access violation logs in system journals when running NanoMQ
  • Increased frequency of segmentation fault signals from the NanoMQ process

Detection Strategies

  • Deploy network intrusion detection rules to identify MQTT v5 packets with malformed Variable Byte Integer sequences exceeding 4 bytes
  • Monitor NanoMQ process health for unexpected crashes, restarts, or abnormal termination signals
  • Implement MQTT protocol validation at network boundaries to filter non-compliant packets before they reach the broker
  • Enable AddressSanitizer in development/staging environments to catch exploitation attempts with detailed diagnostics
  • Analyze MQTT connection patterns for anomalous behavior such as repeated malformed packet submissions

Monitoring Recommendations

  • Configure centralized logging for NanoMQ broker instances to capture crash events and error conditions
  • Set up alerting on NanoMQ process termination events using process monitoring tools
  • Implement MQTT traffic analysis to baseline normal packet sizes and flag anomalies
  • Monitor system memory access patterns for signs of out-of-bounds read attempts
  • Establish baseline metrics for MQTT connection success rates to detect exploitation attempts

How to Mitigate CVE-2026-21888

Immediate Actions Required

  • Update NanoMQ MQTT Broker to the latest patched version that addresses this vulnerability
  • Implement network segmentation to restrict access to MQTT broker services to trusted clients only
  • Deploy MQTT-aware firewalls or proxies that can validate protocol compliance before forwarding to the broker
  • Review and restrict network access to NanoMQ instances using firewall rules
  • Enable process monitoring and automatic restart capabilities to minimize service disruption

Patch Information

The NanoMQ development team has addressed this vulnerability. Users should upgrade to a version newer than 0.24.6 that includes the fix for the Variable Byte Integer parsing issue. Detailed patch information and security guidance are available in the GitHub Security Advisory GHSA-cggc-6m7w-j7x5.

Workarounds

  • Restrict network access to NanoMQ broker services using firewall rules to limit exposure to trusted networks only
  • Deploy an MQTT proxy or gateway that performs protocol validation and filters malformed packets
  • Implement client authentication requirements to reduce the attack surface from anonymous connections
  • Consider running NanoMQ in a containerized environment with resource limits to contain potential crashes
  • Monitor for and automatically restart crashed NanoMQ instances while awaiting patch deployment
bash
# Example: Restrict MQTT access to trusted network ranges using iptables
iptables -A INPUT -p tcp --dport 1883 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -j DROP

# Example: Enable NanoMQ process monitoring with systemd restart
# In /etc/systemd/system/nanomq.service
# [Service]
# Restart=on-failure
# RestartSec=5s

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechNanomq
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-125
  • Technical References
  • GitHub Issue Discussion
  • GitHub Security Advisory GHSA-cggc-6m7w-j7x5
  • Related CVEs
  • CVE-2026-34608: NanoMQ MQTT Broker Buffer Overflow Flaw
  • CVE-2026-32696: NanoMQ MQTT Broker DoS Vulnerability
  • CVE-2026-22040: NanoMQ MQTT Broker Use-After-Free Flaw
  • CVE-2025-68699: NanoMQ MQTT Broker DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English