Can you explain this vulnerability to me?

CVE-2026-21888 is a high-severity vulnerability in the NanoMQ MQTT Broker version 0.24.6 and earlier. It arises from improper parsing of MQTT v5 Variable Byte Integers (VBIs) in the function get_var_integer(). Specifically, the function accepts 5-byte varints without proper bounds checking, even though the MQTT v5 specification limits VBIs to a maximum of 4 bytes.

This flaw causes an out-of-bounds (OOB) read and heap-buffer-overflow when processing malformed MQTT CONNECT packets with specially crafted Properties Length fields containing excessive continuation bytes. When NanoMQ is built with AddressSanitizer (ASan), this vulnerability reliably triggers a crash due to heap-buffer-overflow detected by ASan.

The root cause is the lack of explicit bounds checking against the input buffer length during varint parsing, allowing the function to read beyond the allocated buffer by one byte, leading to memory corruption and process termination.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability primarily impacts the availability of the NanoMQ MQTT Broker service. An attacker can remotely exploit this flaw by sending a specially crafted malformed MQTT CONNECT packet that triggers a heap-buffer-overflow, causing the broker process to crash.

Because the attack vector is network-based and requires no privileges or user interaction, it has low attack complexity and can lead to denial of service (DoS) conditions, disrupting messaging services relying on NanoMQ.

There is no direct impact on confidentiality or integrity of data, but the service disruption can affect system reliability and availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for crashes or heap-buffer-overflow errors in NanoMQ when processing MQTT v5 packets, especially malformed CONNECT packets with Properties Length fields containing excessive continuation bytes.

A practical detection method involves building NanoMQ with AddressSanitizer (ASan) enabled to catch out-of-bounds reads reliably.

To reproduce or detect the issue, you can send a specially crafted MQTT CONNECT packet with a malformed Properties Length varint containing four continuation bytes (e.g., \x80\x80\x80\x80) to the broker on port 1883.

Example steps include:

• Build NanoMQ with ASan enabled using CMake flags: `cmake -DASAN=ON -DDEBUG=ON`
• Run the NanoMQ broker built with ASan.
• Send a malformed MQTT CONNECT packet with a crafted Properties Length varint (e.g., using a network tool or custom script) to port 1883.
• Observe ASan error logs for heap-buffer-overflow reports indicating out-of-bounds reads in `get_var_integer()`.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of vulnerable NanoMQ versions (0.24.6 and earlier) until a patched version is available.

Since the vulnerability is triggered by malformed MQTT v5 packets with oversized varints, you can implement network-level filtering or intrusion detection rules to block or alert on suspicious MQTT CONNECT packets containing invalid Properties Length fields.

Additionally, running NanoMQ with ASan enabled in a testing environment can help detect exploitation attempts by crashing on out-of-bounds reads.

Monitor NanoMQ logs and system stability for crashes that may indicate exploitation attempts.

Useful 0 Not Useful 0