Executive Summary

CVE-2026-21888 is a high-severity vulnerability in the NanoMQ MQTT Broker version 0.24.6 and earlier. It arises from improper parsing of MQTT v5 Variable Byte Integers (VBIs) in the function get_var_integer(). Specifically, the function accepts 5-byte varints without proper bounds checking, even though the MQTT v5 specification limits VBIs to a maximum of 4 bytes.

This flaw causes an out-of-bounds (OOB) read and heap-buffer-overflow when processing malformed MQTT CONNECT packets with specially crafted Properties Length fields containing excessive continuation bytes. When NanoMQ is built with AddressSanitizer (ASan), this vulnerability reliably triggers a crash due to heap-buffer-overflow detected by ASan.

The root cause is the lack of explicit bounds checking against the input buffer length during varint parsing, allowing the function to read beyond the allocated buffer by one byte, leading to memory corruption and process termination.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability primarily impacts the availability of the NanoMQ MQTT Broker service. An attacker can remotely exploit this flaw by sending a specially crafted malformed MQTT CONNECT packet that triggers a heap-buffer-overflow, causing the broker process to crash.

Because the attack vector is network-based and requires no privileges or user interaction, it has low attack complexity and can lead to denial of service (DoS) conditions, disrupting messaging services relying on NanoMQ.

There is no direct impact on confidentiality or integrity of data, but the service disruption can affect system reliability and availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or heap-buffer-overflow errors in NanoMQ when processing MQTT v5 packets, especially malformed CONNECT packets with Properties Length fields containing excessive continuation bytes.

A practical detection method involves building NanoMQ with AddressSanitizer (ASan) enabled to catch out-of-bounds reads reliably.

To reproduce or detect the issue, you can send a specially crafted MQTT CONNECT packet with a malformed Properties Length varint containing four continuation bytes (e.g., \x80\x80\x80\x80) to the broker on port 1883.

Example steps include:

• Build NanoMQ with ASan enabled using CMake flags: `cmake -DASAN=ON -DDEBUG=ON`
• Run the NanoMQ broker built with ASan.
• Send a malformed MQTT CONNECT packet with a crafted Properties Length varint (e.g., using a network tool or custom script) to port 1883.
• Observe ASan error logs for heap-buffer-overflow reports indicating out-of-bounds reads in `get_var_integer()`.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of vulnerable NanoMQ versions (0.24.6 and earlier) until a patched version is available.

Since the vulnerability is triggered by malformed MQTT v5 packets with oversized varints, you can implement network-level filtering or intrusion detection rules to block or alert on suspicious MQTT CONNECT packets containing invalid Properties Length fields.

Additionally, running NanoMQ with ASan enabled in a testing environment can help detect exploitation attempts by crashing on out-of-bounds reads.

Monitor NanoMQ logs and system stability for crashes that may indicate exploitation attempts.

Useful 0 Not Useful 0