CVE-2026-44640
Type Confusion in NanoMQ MQTT Broker Leading to Crash
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nanomq | nanomq | to 0.24.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44640 is a type confusion vulnerability in the NanoMQ MQTT Broker, specifically affecting the QUIC dialer close functionality in versions 0.24.x and earlier.
The issue arises because a QUIC connection pointer (nni_quic_conn*) is stored during the dialing process but is incorrectly interpreted as a different pointer type (ex_quic_conn*) during the dialer close operation.
This mismatch causes invalid memory access, which leads to the application hanging or crashing when a dialer is closed while a pending asynchronous I/O operation is still active.
How can this vulnerability impact me? :
An attacker with local access can exploit this vulnerability to cause a denial of service by forcing the NanoMQ process to hang or crash.
The attack requires high complexity and does not need special privileges or user interaction.
The impact on confidentiality, integrity, and availability is limited, with a moderate severity rating (CVSS score 4.5).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing hangs or crashes in the NanoMQ broker when a QUIC dialer is closed while an asynchronous I/O operation is still pending. Specifically, detection involves monitoring for close-path hangs or crashes triggered by type confusion in the QUIC dialer close functionality.
A proof-of-concept demonstrates the issue by dialing a QUIC connection and then closing the dialer prematurely, which causes the application to hang. Detection can be done by reproducing this behavior in a controlled environment.
While no specific commands are provided in the resources, you can monitor NanoMQ logs for crashes or hangs related to QUIC dialer close operations and use fuzzing tools to trigger the vulnerability by dialing and closing QUIC connections rapidly.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NanoMQ to version 0.24.14 or later, as this version includes a fix for the type confusion vulnerability in the QUIC dialer close functionality.
If upgrading is not immediately possible, avoid closing QUIC dialers while asynchronous I/O operations are still pending to reduce the risk of triggering the vulnerability.
Additionally, monitor the system for hangs or crashes related to QUIC dialer operations and apply any available patches or workarounds provided by the NanoMQ project.