{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22040", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.719Z", "datePublished": "2026-03-04T21:55:11.238Z", "dateUpdated": "2026-03-05T15:42:26.352Z"}, "containers": {"cna": {"title": "NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r"}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"version": "= 0.24.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:55:11.238Z"}, "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available."}], "source": {"advisory": "GHSA-v57q-w88m-424r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:29:16.882273Z", "id": "CVE-2026-22040", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:42:26.352Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22040", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:29:16.882273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:29:17.896Z"}}], "cna": {"title": "NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash", "source": {"advisory": "GHSA-v57q-w88m-424r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"status": "affected", "version": "= 0.24.6"}]}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r", "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:55:11.238Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22040", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:42:26.352Z", "dateReserved": "2026-01-05T22:30:38.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T21:55:11.238Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*", "matchCriteriaId": "F998E900-76B1-4D92-B8AB-CD4EE23C2E3C", "versionEndExcluding": "0.24.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una Plataforma de Mensajer\u00eda de Borde integral. En la versi\u00f3n 0.24.6, al generar un patr\u00f3n de tr\u00e1fico combinado de publicaciones de alta frecuencia y reconexiones/expulsiones r\u00e1pidas utilizando el mismo ClientID y una fluctuaci\u00f3n masiva de suscripciones/desuscripciones, es posible activar de forma fiable la corrupci\u00f3n de memoria del heap en el proceso del Broker, haciendo que termine inmediatamente con SIGABRT debido a free(): puntero inv\u00e1lido. En el momento de la publicaci\u00f3n, no hay versiones parcheadas conocidas disponibles."}], "id": "CVE-2026-22040", "lastModified": "2026-03-18T16:09:07.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T22:16:17.300", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.24.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanomq", "source": "cna", "vendor": "nanomq"}, "product": "nanomq", "vendor": "nanomq"}], "analysis": {"en": {"generated_at": "2026-04-17T13:01:29.276854+00:00", "value": {"mitigation_remediation": ["Limit publish and reconnect rates for every client, especially those that reuse the same ClientID, to prevent the trigger pattern.", "Enforce unique ClientID usage and disallow concurrent reuse of the same identifier.", "Set up monitoring of broker logs for SIGABRT crashes and configure alerts for rapid restart events.", "Once a patched version of NanoMQ is released, upgrade the broker immediately."], "summary": {"action": "Apply Mitigation", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The weakness exists only in the NanoMQ MQTT Broker from the nanomq project, specifically version 0.24.6. No fixed version is currently available, so all deployments running this version are vulnerable. Until a patched release is issued, users should avoid running the affected edition.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free condition (CWE\u2011416) in NanoMQ 0.24.6. By sending a crafted traffic pattern that mixes high\u2011frequency publishes with rapid reconnects under the same ClientID and induces massive subscribe/unsubscribe churn, an attacker can trigger a heap\u2011memory corruption in the broker process. This corruption leads to the broker aborting with SIGABRT, effectively terminating the service and causing a denial of service for all clients.", "risk_and_exploitability": "The CVSS base score is 5.3, reflecting a moderate impact. EPSS is under 1\u202f%, indicating a very low likelihood of exploitation in the wild at present. The vulnerability is not in the CISA KEV catalog. An attacker requires the ability to place MQTT traffic on the broker, so the path is remote but limited to clients with network reach to the broker. The lack of a publicly released fix means the priority for addressing the issue is to implement mitigation controls rather than rely on patching."}}}}, "created": "2026-03-05T09:05:39.838853+00:00", "updated": "2026-04-17T13:15:19.648126+00:00", "vendors": ["nanomq", "nanomq$PRODUCT$nanomq"]}