Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45151

CVE-2026-45151: NanoMQ MQTT Broker Use-After-Free Flaw

CVE-2026-45151 is a use-after-free vulnerability in NanoMQ MQTT Broker that occurs when quic_stream_recv dereferences a null substream pointer. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-45151 Overview

CVE-2026-45151 is a null pointer dereference vulnerability [CWE-476] in NanoMQ, an open-source edge messaging platform implementing the MQTT protocol. The flaw resides in the quic_stream_recv function, which can dereference a null substream pointer when a substream enters the reopen state. The code completes the asynchronous I/O (AIO) operation with an error but fails to return before locking c->mtx, leading to the dereference. The issue affects NanoMQ version 0.24.8 and earlier. A remote unauthenticated attacker can trigger the condition over the network, but successful exploitation requires specific timing conditions.

Critical Impact

A remote attacker can crash the NanoMQ broker by triggering the null pointer dereference, resulting in a denial-of-service condition for MQTT clients relying on the broker.

Affected Products

  • NanoMQ MQTT Broker version 0.24.8
  • NanoMQ MQTT Broker versions earlier than 0.24.8
  • Deployments using QUIC transport for MQTT messaging

Discovery Timeline

  • 2026-05-29 - CVE-2026-45151 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45151

Vulnerability Analysis

NanoMQ supports MQTT over QUIC, a transport that multiplexes multiple substreams within a single connection. The quic_stream_recv function handles incoming data on these substreams. When a substream is in the reopen state, its pointer can be null while the receive callback fires. The function detects the error and completes the AIO operation with a failure status, but execution continues past the error handling. The next code path acquires the mutex c->mtx and then operates on the null substream pointer, triggering the dereference and crashing the broker process.

Root Cause

The root cause is a missing early return after error handling in quic_stream_recv. The function logic checks the substream state and finishes the pending AIO with an error code, but control flow falls through to subsequent statements that assume a valid substream pointer. This violates the contract that error paths should release resources and exit the function before further dereferences occur.

Attack Vector

An attacker can connect to a NanoMQ broker exposing the MQTT-over-QUIC listener and manipulate substream lifecycle events to induce the reopen state during a receive operation. No authentication is required because the condition is reachable during the QUIC handshake and early substream negotiation. The attack complexity is high because exploitation depends on race-like timing between substream reopen and incoming data. Refer to the GitHub Security Advisory GHSA-9qhf-wgp4-p7w5 for additional technical context.

Detection Methods for CVE-2026-45151

Indicators of Compromise

  • Unexpected NanoMQ broker process crashes or restarts with SIGSEGV signals in system logs
  • QUIC connection attempts from unknown sources immediately preceding broker termination
  • Core dumps referencing quic_stream_recv in the NanoMQ binary stack trace

Detection Strategies

  • Monitor NanoMQ process uptime and restart frequency using systemd or supervisor logs
  • Inspect QUIC traffic patterns for abnormal substream reopen sequences targeting MQTT listeners
  • Correlate broker crashes with inbound network flows on the configured QUIC port to identify suspicious sources

Monitoring Recommendations

  • Enable verbose logging on the NanoMQ QUIC listener to capture substream state transitions
  • Forward broker logs and process exit events to a centralized log management platform for retention and analysis
  • Track MQTT client disconnection spikes that may indicate broker termination from an upstream trigger

How to Mitigate CVE-2026-45151

Immediate Actions Required

  • Upgrade NanoMQ to a release later than 0.24.8 once a patched version is published by the maintainers
  • Restrict network access to the MQTT-over-QUIC listener using firewall rules that allow only trusted client IP ranges
  • Disable the QUIC transport in NanoMQ configuration if it is not required for your deployment

Patch Information

Review the NanoMQ GitHub Security Advisory GHSA-9qhf-wgp4-p7w5 for the official patch reference and fixed release version. The fix introduces an early return after the AIO is completed with error to prevent the subsequent dereference of the null substream pointer.

Workarounds

  • Disable the QUIC listener in nanomq.conf and require clients to use TCP or WebSocket transports until the patch is applied
  • Place NanoMQ behind a reverse proxy or load balancer that terminates QUIC and validates substream behavior before forwarding
  • Configure process supervision to automatically restart the broker on crash to minimize service disruption while patching is scheduled
bash
# Configuration example: disable QUIC listener in nanomq.conf
listeners.quic {
    enable = false
}

# Restrict access to QUIC port (default 14567) with iptables
iptables -A INPUT -p udp --dport 14567 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p udp --dport 14567 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.