Null Pointer Dereference in NanoMQ MQTT Broker
CVE-2026-45151

2.9LOW

Key Information:

Vendor: NanoMQ
Status: NanoMQ
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45151?

The NanoMQ MQTT Broker, an Edge Messaging Platform, is susceptible to a null pointer dereference in the quic_stream_recv function. When handling a substream in a reopened state, the code fails to properly check for a null substream pointer. This flaw leads to errant behavior during the AIO completion process, resulting in a system integrity threat, as the mutex associated with the connection remains locked despite an error occurring. Prompt updates to newer versions are advisable to mitigate this issue.

Affected Version(s)

nanomq <= 0.24.8

References

https://github.com/nanomq/nanomq/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45151 Data

JSON