CVE-2026-45151 Overview
CVE-2026-45151 is a null pointer dereference vulnerability [CWE-476] in NanoMQ, an open-source edge messaging platform implementing the MQTT protocol. The flaw resides in the quic_stream_recv function, which can dereference a null substream pointer when a substream enters the reopen state. The code completes the asynchronous I/O (AIO) operation with an error but fails to return before locking c->mtx, leading to the dereference. The issue affects NanoMQ version 0.24.8 and earlier. A remote unauthenticated attacker can trigger the condition over the network, but successful exploitation requires specific timing conditions.
Critical Impact
A remote attacker can crash the NanoMQ broker by triggering the null pointer dereference, resulting in a denial-of-service condition for MQTT clients relying on the broker.
Affected Products
- NanoMQ MQTT Broker version 0.24.8
- NanoMQ MQTT Broker versions earlier than 0.24.8
- Deployments using QUIC transport for MQTT messaging
Discovery Timeline
- 2026-05-29 - CVE-2026-45151 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45151
Vulnerability Analysis
NanoMQ supports MQTT over QUIC, a transport that multiplexes multiple substreams within a single connection. The quic_stream_recv function handles incoming data on these substreams. When a substream is in the reopen state, its pointer can be null while the receive callback fires. The function detects the error and completes the AIO operation with a failure status, but execution continues past the error handling. The next code path acquires the mutex c->mtx and then operates on the null substream pointer, triggering the dereference and crashing the broker process.
Root Cause
The root cause is a missing early return after error handling in quic_stream_recv. The function logic checks the substream state and finishes the pending AIO with an error code, but control flow falls through to subsequent statements that assume a valid substream pointer. This violates the contract that error paths should release resources and exit the function before further dereferences occur.
Attack Vector
An attacker can connect to a NanoMQ broker exposing the MQTT-over-QUIC listener and manipulate substream lifecycle events to induce the reopen state during a receive operation. No authentication is required because the condition is reachable during the QUIC handshake and early substream negotiation. The attack complexity is high because exploitation depends on race-like timing between substream reopen and incoming data. Refer to the GitHub Security Advisory GHSA-9qhf-wgp4-p7w5 for additional technical context.
Detection Methods for CVE-2026-45151
Indicators of Compromise
- Unexpected NanoMQ broker process crashes or restarts with SIGSEGV signals in system logs
- QUIC connection attempts from unknown sources immediately preceding broker termination
- Core dumps referencing quic_stream_recv in the NanoMQ binary stack trace
Detection Strategies
- Monitor NanoMQ process uptime and restart frequency using systemd or supervisor logs
- Inspect QUIC traffic patterns for abnormal substream reopen sequences targeting MQTT listeners
- Correlate broker crashes with inbound network flows on the configured QUIC port to identify suspicious sources
Monitoring Recommendations
- Enable verbose logging on the NanoMQ QUIC listener to capture substream state transitions
- Forward broker logs and process exit events to a centralized log management platform for retention and analysis
- Track MQTT client disconnection spikes that may indicate broker termination from an upstream trigger
How to Mitigate CVE-2026-45151
Immediate Actions Required
- Upgrade NanoMQ to a release later than 0.24.8 once a patched version is published by the maintainers
- Restrict network access to the MQTT-over-QUIC listener using firewall rules that allow only trusted client IP ranges
- Disable the QUIC transport in NanoMQ configuration if it is not required for your deployment
Patch Information
Review the NanoMQ GitHub Security Advisory GHSA-9qhf-wgp4-p7w5 for the official patch reference and fixed release version. The fix introduces an early return after the AIO is completed with error to prevent the subsequent dereference of the null substream pointer.
Workarounds
- Disable the QUIC listener in nanomq.conf and require clients to use TCP or WebSocket transports until the patch is applied
- Place NanoMQ behind a reverse proxy or load balancer that terminates QUIC and validates substream behavior before forwarding
- Configure process supervision to automatically restart the broker on crash to minimize service disruption while patching is scheduled
# Configuration example: disable QUIC listener in nanomq.conf
listeners.quic {
enable = false
}
# Restrict access to QUIC port (default 14567) with iptables
iptables -A INPUT -p udp --dport 14567 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p udp --dport 14567 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

