CVE-2026-58210
Received Received - Intake

Memory Exhaustion in NATS Server via Incomplete MQTT Packets

Vulnerability report for CVE-2026-58210, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
nats_io nats_server to 2.12.12 (exc)
nats server 2.14.3
nats server 2.12.12
nats server to 2.14.3 (exc)
nats server to 2.12.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-58210 in the NATS server allows unauthenticated MQTT clients to exhaust server memory by sending large incomplete CONNECT packets before authentication completes, leading to a denial-of-service condition.

This issue impacts the availability of the NATS server, which could affect systems relying on it for messaging services.

However, there is no direct information in the provided context or resources about how this vulnerability specifically affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-58210 is a vulnerability in the NATS server where an unauthenticated MQTT client can send partial MQTT CONNECT packets that are incomplete. The server retains these large incomplete packets in memory while waiting for the full packet length to be received before authentication completes.

This behavior allows an attacker to consume server memory by sending many such partial packets, leading to uncontrolled resource consumption and potentially exhausting server memory.

The issue affects NATS server versions prior to 2.14.3 and 2.12.12 and is fixed by rejecting packets that exceed the maximum allowed payload size before buffering any data.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by exhausting the server's memory resources.

Since the server retains large incomplete MQTT CONNECT packets in memory before authentication, an attacker can send many such packets to consume significant memory, potentially causing the server to become unresponsive or crash.

The vulnerability has a high severity score of 7.5 and requires no privileges or user interaction to exploit, making it a significant risk to availability.

Detection Guidance

This vulnerability involves unauthenticated MQTT clients sending partial CONNECT packets that cause the NATS server to retain large incomplete packets in memory, leading to memory exhaustion. Detection would involve monitoring for unusual memory usage patterns on the NATS server, especially related to MQTT connections.

Network-level detection could include capturing and analyzing MQTT CONNECT packets to identify unusually large or incomplete packets being sent before authentication completes.

Specific commands are not provided in the resources, but general approaches include:

  • Using network packet capture tools like tcpdump or Wireshark to filter MQTT CONNECT packets and check for abnormal sizes or incomplete transmissions.
  • Monitoring server memory usage with tools like top, htop, or free on the NATS server to detect spikes potentially caused by this issue.
  • Reviewing NATS server logs for repeated authentication attempts or connection drops related to MQTT clients.
Mitigation Strategies

The primary mitigation step is to upgrade the NATS server to a fixed version that addresses this vulnerability.

  • Upgrade to NATS server version 2.14.3 or later, or 2.12.12 or later, where the vulnerability is fixed.

The fix involves rejecting MQTT CONNECT packets that exceed the maximum allowed payload size before buffering, preventing memory exhaustion.

If upgrading immediately is not possible, consider disabling MQTT support if it is not required in your deployment, as deployments not using MQTT are unaffected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart