Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 11, 2026

MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()

CVE-2026-21888

Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier.

Affected products

Nanomq/Nanomqv5
Range: <= 0.24.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nanomq/nanomq/issues/2192mitrex_refsource_MISC
github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000