{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.929Z", "datePublished": "2026-03-11T15:22:32.463Z", "dateUpdated": "2026-03-11T15:35:36.678Z"}, "containers": {"cna": {"title": "MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5"}, {"name": "https://github.com/nanomq/nanomq/issues/2192", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/nanomq/issues/2192"}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"version": "<= 0.24.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:22:32.463Z"}, "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier."}], "source": {"advisory": "GHSA-cggc-6m7w-j7x5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:35:24.683645Z", "id": "CVE-2026-21888", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:35:36.678Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21888", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:35:24.683645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:35:27.865Z"}}], "cna": {"title": "MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()", "source": {"advisory": "GHSA-cggc-6m7w-j7x5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"status": "affected", "version": "<= 0.24.6"}]}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5", "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nanomq/nanomq/issues/2192", "name": "https://github.com/nanomq/nanomq/issues/2192", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:22:32.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21888", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:35:36.678Z", "dateReserved": "2026-01-05T17:24:36.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T15:22:32.463Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*", "matchCriteriaId": "490B7BD1-582C-4755-985F-7A3682332DEE", "versionEndIncluding": "0.24.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una Plataforma de Mensajer\u00eda de Borde integral. An\u00e1lisis de enteros de bytes variables de MQTT v5 fuera de l\u00edmites: get_var_integer() acepta varints de 5 bytes sin comprobaciones de l\u00edmites; desencadena de forma fiable una lectura fuera de l\u00edmites / ca\u00edda cuando se compila con ASan. Esto afecta a la versi\u00f3n 0.24.6 y anteriores."}], "id": "CVE-2026-21888", "lastModified": "2026-03-17T19:20:17.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T16:16:23.930", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/nanomq/nanomq/issues/2192"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.24.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanomq", "source": "cna", "vendor": "nanomq"}, "product": "nanomq", "vendor": "nanomq"}], "analysis": {"en": {"generated_at": "2026-03-17T20:26:42.445222+00:00", "value": {"mitigation_remediation": ["Upgrade NanoMQ to any release newer than 0.24.6."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (Out-of-Bounds Read)"}, "threat_synthesis": {"affected_systems": "The affected vendor is nanomq, product NanoMQ MQTT Broker. All releases up to and including version 0.24.6 are vulnerable. Users should ensure they run a version newer than 0.24.6.", "description_and_impact": "NanoMQ MQTT Broker contains a flaw in the MQTT v5 Variable Byte Integer parsing routine get_var_integer(). The routine accepts up to five-byte varints without bounds checks, causing an out\u2011of\u2011bounds read when a malformed payload is processed. The vulnerability leads to an application crash (identified when built with Address Sanitizer). This results in a denial of service that can interrupt broker availability.", "risk_and_exploitability": "CVSS score is 7.5, indicating moderate to high severity. EPSS score is under 1%, showing low immediate exploit probability. The vulnerability is not listed in the CISA KEV catalog. The flaw can be triggered via malicious MQTT v5 traffic containing an oversized variable byte integer, implying a remote exploitation path and the primary risk being service disruption."}}}}, "created": "2026-03-12T10:05:44.723276+00:00", "updated": "2026-03-23T09:55:32.846562+00:00", "vendors": ["nanomq", "nanomq$PRODUCT$nanomq"]}