CVE-2026-32134
Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NanoMQ MQTT Broker <=0.24.10 crashes via NULL pointer dereference in session restore under high-concurrency reconnect, enabling remote unauthenticated DoS.
Vulnerability
In NanoMQ MQTT Broker versions 0.24.10 and below, the tcptran_pipe_peer() function in broker_tcp.c iterates cpipe->subinfol without a NULL check. Under high-concurrency reconnect traffic with clean_start=0 clients, a race condition can cause cpipe->subinfol to be freed and set to NULL before session restoration, leading to a NULL pointer dereference and broker crash [1][2].
Exploitation
An unauthenticated remote attacker can send a high volume of MQTT CONNECT packets with the same client ID and clean_start=0 to trigger pipe ID collisions. This causes the old pipe to be closed asynchronously, freeing session metadata (subinfol) before the new pipe's session restore callback executes. The attacker does not need any prior authentication or special network position beyond reachability to the broker's MQTT port [1][2].
Impact
Successful exploitation results in a denial-of-service (DoS) condition: the broker process crashes, terminating all active connections and requiring manual restart. No data is compromised, but service availability is lost [1].
Mitigation
The vulnerability is fixed in NanoMQ version 0.24.11 [4]. The fix adds a NULL check for both cpipe->subinfol and npipe->subinfol in tcptran_pipe_peer() and similar functions for TLS and WebSocket transports [3]. Users should upgrade to 0.24.11 or later. No workaround is documented; if upgrade is not possible, limiting concurrent reconnections or using clean_start=1 may reduce risk but is not a complete mitigation [1].
- NanoMQ v0.24.10-14 Session Restore Feature: NULL Pointer Dereference Crash in `tcptran_pipe_peer`
- NanoMQ v0.24.10-14 Session Restore Feature: NULL Pointer Dereference Crash in `tcptran_pipe_peer`
- * MDF [trasnport/mqtt] add more null checker base on review · nanomq/NanoNNG@522ec62
- Release NanoMQ 0.24.11 · nanomq/nanomq
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1522ec62e29e6* MDF [trasnport/mqtt] add more null checker base on review
3 files changed · +3 −6
src/sp/transport/mqtt/broker_tcp.c+1 −2 modified@@ -2180,7 +2180,7 @@ tcptran_pipe_peer(void *arg) npipe = (nni_pipe *) cpipe->tpipe; // target pipe nni_mtx_lock(&p->mtx); - if (cpipe->subinfol != NULL) { + if (cpipe->subinfol != NULL && npipe->subinfol != NULL) { NNI_LIST_FOREACH(cpipe->subinfol, info) { if (!info) { log_error("got error topic from subinfol!"); @@ -2217,7 +2217,6 @@ tcptran_pipe_peer(void *arg) npipe->packet_id = cpipe->packet_id; npipe->nano_qos_db = cpipe->nano_qos_db; - // nni_atomic_set_bool(&old->p_closed, true); nni_atomic_set_bool(&p->closed, true); // set event of old pipe to false and discard it. nni_atomic_swap_bool(&cpipe->cache, false);
src/sp/transport/mqtts/broker_tls.c+1 −2 modified@@ -2245,7 +2245,7 @@ tlstran_pipe_peer(void *arg) npipe = (nni_pipe *) cpipe->tpipe; // target pipe nni_mtx_lock(&p->mtx); - if (cpipe->subinfol != NULL) { + if (cpipe->subinfol != NULL && npipe->subinfol != NULL) { NNI_LIST_FOREACH(cpipe->subinfol, info) { if (!info) { log_error("got error topic from subinfol!"); @@ -2283,7 +2283,6 @@ tlstran_pipe_peer(void *arg) npipe->packet_id = cpipe->packet_id; npipe->nano_qos_db = cpipe->nano_qos_db; - // nni_atomic_set_bool(&old->p_closed, true); nni_atomic_set_bool(&p->closed, true); // set event of old pipe to false and discard it. nni_atomic_swap_bool(&cpipe->cache, false);
src/sp/transport/mqttws/nmq_websocket.c+1 −2 modified@@ -1423,7 +1423,7 @@ wstran_pipe_peer(void *arg) return 2 } nni_mtx_lock(&p->mtx); - if (cpipe->subinfol != NULL) { + if (cpipe->subinfol != NULL && npipe->subinfol != NULL) { NNI_LIST_FOREACH(cpipe->subinfol, info) { if (!info) { log_error("got error topic from subinfol!"); @@ -1461,7 +1461,6 @@ wstran_pipe_peer(void *arg) npipe->packet_id = cpipe->packet_id; npipe->nano_qos_db = cpipe->nano_qos_db; - // nni_atomic_set_bool(&old->p_closed, true); nni_atomic_set_bool(&p->closed, true); // set event of old pipe to false and discard it. nni_atomic_swap_bool(&cpipe->cache, false);
Vulnerability mechanics
Root cause
"Missing NULL pointer check on npipe->subinfol before iterating the subscription list during MQTT session resumption, allowing a NULL dereference under a reconnect race condition."
Attack vector
An unauthenticated remote attacker sends a high volume of MQTT CONNECT packets with clean_start=0, triggering rapid reconnects that race against session-resumption logic. During the race, the old pipe's subscription list (subinfol) can be freed and set to NULL before the tcptran_pipe_peer(), tlstran_pipe_peer(), or wstran_pipe_peer() callback finishes copying session metadata. The callback then dereferences the NULL npipe->subinfol pointer inside the NNI_LIST_FOREACH macro, causing a segmentation fault and crashing the broker process. The attack requires no authentication and is launched over the network, though the CVSS score notes high complexity due to the race condition timing.
Affected code
The vulnerability exists in the `tcptran_pipe_peer()` function in `src/sp/transport/mqtt/broker_tcp.c`, the `tlstran_pipe_peer()` function in `src/sp/transport/mqtts/broker_tls.c`, and the `wstran_pipe_peer()` function in `src/sp/transport/mqttws/nmq_websocket.c`. All three functions iterate `cpipe->subinfol` without checking whether the destination pipe's `npipe->subinfol` pointer is NULL before entering the `NNI_LIST_FOREACH` loop [patch_id=626086].
What the fix does
The patch adds a second NULL check — `npipe->subinfol != NULL` — alongside the existing `cpipe->subinfol != NULL` check in all three transport callbacks (broker_tcp.c, broker_tls.c, nmq_websocket.c) [patch_id=626086]. This prevents the NNI_LIST_FOREACH loop from executing on a freed or NULL subscription list pointer. The patch also removes a dead-code comment line that was left from earlier debugging. By guarding both the source and destination subscription lists, the fix ensures that session metadata is only copied when both pipes have valid subscription structures, eliminating the NULL-pointer dereference that caused the crash.
Preconditions
- networkAttacker must be able to send MQTT CONNECT packets to the broker over TCP/TLS/WebSocket.
- inputAttacker must send CONNECT packets with clean_start=0 to trigger session resumption logic.
- configBroker must be running a vulnerable version (≤ 0.24.10) with session persistence enabled (default for clean_start=0 clients).
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.