Out-of-Bounds Read Vulnerability in NanoMQ MQTT Broker
CVE-2026-21888

7.5HIGH

Key Information:

Vendor: NanoMQ
Status: NanoMQ
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-21888?

The NanoMQ MQTT Broker is an edge messaging platform that has an out-of-bounds read vulnerability due to improper handling of MQTT v5 variable byte integer parsing. Specifically, the function get_var_integer() permits 5-byte varints without adequate bounds checks, potentially leading to unintended memory access and application crashes. This vulnerability primarily affects versions 0.24.6 and earlier, creating significant security risks for applications utilizing these versions. Users are encouraged to review their implementations and upgrade to secure versions to mitigate potential exploits.

Affected Version(s)

nanomq <= 0.24.6

References

https://github.com/nanomq/nanomq/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nanomq/nanomq/issues/2192

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21888 Data

JSON