VYPR
← All advisories
Low severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45151

CVE-2026-45151

Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NULL pointer dereference in NanoMQ <=0.24.8 leads to crash when handling a reopening substream.

Vulnerability

In NanoMQ versions 0.24.8 and earlier, the function quic_stream_recv in nng/src/supplemental/quic/msquic_dial.c can dereference a null c pointer when a substream is in a reopen state. The code calls nni_aio_finish_error but does not return before attempting to lock c->mtx, resulting in a null pointer dereference and crash [1].

Exploitation

An attacker with network access to the NanoMQ broker can trigger the vulnerability by sending crafted QUIC packets that cause a substream to enter a reopen state. This leads to the vulnerable code path being exercised, resulting in a null pointer dereference and crash of the broker process [1].

Impact

Successful exploitation causes a denial of service (DoS) by crashing the NanoMQ broker. No code execution or information disclosure is anticipated from this vulnerability.

Mitigation

As of the advisory date, no patch is available for versions 0.24.8 and earlier. Users should monitor the NanoMQ repository for updates and apply a fix once released. There is no known workaround [1].

References
  1. NULL Pointer Dereference in nanomq

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nanomq/Nanomqinferred2 versions
    <=0.24.8+ 1 more
    • (no CPE)range: <=0.24.8
    • (no CPE)range: <=0.24.8

Patches

1
2d80f7cff59f

* MDF [nng] new 0.24.9 release

https://github.com/emqx/nanomqJaylinJan 21, 2026Fixed in 0.24.9via release-tag
commit
2 files changed · +3 3
  • nanomq/include/version.h+2 2 modified
    @@ -1,4 +1,4 @@
 #define NANO_VER_MAJOR 0
 #define NANO_VER_MINOR 24
-#define NANO_VER_PATCH 8
-#define NANO_VER_ID_SHORT "12"
+#define NANO_VER_PATCH 9
+#define NANO_VER_ID_SHORT "13"
  • nng+1 1 modified
    @@ -1 +1 @@
-Subproject commit 07c3bb2e7b875d7f8f6f92f998707322d0be0449
+Subproject commit aae1341955b1c0e06d2c9cda857e667a75abcfe2

Vulnerability mechanics

Root cause

"Missing return statement after error handling in quic_stream_recv allows NULL pointer dereference when a substream is in reopen state."

Attack vector

An attacker can trigger a NULL pointer dereference by sending a QUIC multistream message with a stream ID that maps to a substream currently in the reopen state (i.e., `ec->substrms[strmid-1]` is NULL). Because the vulnerable code path does not return after finishing the AIO with an error, the function proceeds to lock `c->mtx` on the NULL connection pointer, causing a crash. This is remotely triggerable under specific stream-state timing and is fuzz-discoverable with stateful sequencing [ref_id=1].

Affected code

The vulnerability resides in `nng/src/supplemental/quic/msquic_dial.c` in the `quic_stream_recv` function. When `strmid != 0` and `ec->substrms[strmid-1]` is NULL (substream in reopen state), the code calls `nni_aio_finish_error(aio, NNG_ECANCELED)` but does not return, so execution continues to lock `c->mtx` on the NULL pointer `c` [ref_id=1]. The patch updates the submodule pointer to aae1341955b1c0e06d2c9cda857e667a75abcfe2, which presumably adds the missing return statement [patch_id=3107125].

What the fix does

The patch updates the nng submodule commit from `07c3bb2e7b875d7f8f6f92f998707322d0be0449` to `aae1341955b1c0e06d2c9cda857e667a75abcfe2` and bumps the NanoMQ version to 0.24.9 [patch_id=3107125]. The advisory explains that the fix adds a `return` statement after `nni_aio_finish_error(aio, NNG_ECANCELED)` when the substream pointer is NULL, preventing execution from reaching the `nni_mtx_lock(&c->mtx)` call on a NULL pointer [ref_id=1]. Without this return, the function continues to dereference the NULL connection pointer, causing a crash.

Preconditions

  • networkThe attacker must be able to send QUIC multistream messages to the broker.
  • inputA substream must be in the reopen state (NULL pointer in substrms array) at the time of the request.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.