CVE-2026-32696
Null Pointer Dereference in NanoMQ MQTT Broker Causes DoS
Publication date: 2026-03-30
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emqx | nanomq | to 0.24.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NanoMQ MQTT Broker version 0.24.6 when HTTP authentication (auth.http_auth) is enabled. If a client connects without providing a username or password, and the configuration uses placeholders %u and %P for username and password respectively, the software attempts to calculate the length of a NULL pointer during HTTP request construction. This causes a segmentation fault (SIGSEGV) crash.
The crash occurs in the function auth_http.c:set_data(), leading to a denial of service condition that can be triggered remotely.
This issue was fixed in NanoMQ version 0.24.7.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS). An attacker can remotely cause the NanoMQ broker to crash by sending a specially crafted MQTT CONNECT request without username and password when HTTP authentication is enabled with certain configurations.
This crash disrupts the availability of the messaging service, potentially affecting any systems or applications relying on NanoMQ for edge messaging.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NanoMQ to version 0.24.7 or later, where the issue has been patched.
Additionally, avoid using the placeholders %u and %P in the HTTP authentication configuration when clients may connect without providing username/password.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NanoMQ MQTT Broker causes a remote denial of service (DoS) due to a crash triggered by malformed authentication requests. It does not involve unauthorized data access, data leakage, or modification.
Since the issue results in availability impact only (denial of service) and does not compromise confidentiality or integrity, its direct effect on compliance with standards like GDPR or HIPAAβwhich primarily focus on protecting personal data confidentiality and integrityβis limited.
However, availability is also a component of many security frameworks, so prolonged or repeated DoS could indirectly affect compliance by disrupting service availability requirements.