CVE-2026-32134 nanomq CVE debrief

Who should care

Operators of NanoMQ brokers, especially internet-facing or heavily loaded deployments that accept MQTT reconnect traffic and rely on persistent sessions (clean_start=0). Security teams should also care if NanoMQ is embedded in edge or IoT messaging paths where a broker crash would disrupt service availability.

Technical summary

The reported flaw occurs in tcptran_pipe_peer(), which iterates cpipe->subinfol while copying session metadata from an old cached pipe to a reconnecting pipe. Under a reconnect collision/race, cpipe->subinfol may already have been freed and set to NULL before session restore reaches this code path. Because the callback does not check for NULL before dereferencing the pointer, the broker can crash. NVD lists the issue as CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-476.

Defensive priority

Medium, but treat as urgent for exposed or high-availability brokers because the impact is a remote unauthenticated process crash affecting service availability.

Recommended defensive actions

• Upgrade NanoMQ to version 0.24.11 or later.
• If immediate upgrading is not possible, reduce exposure of the broker to untrusted networks and restrict who can reach MQTT listener ports.
• Review deployments that use persistent sessions (clean_start=0) and monitor for reconnect storms or repeated broker restarts.
• Validate that operational monitoring alerts on NanoMQ process crashes and automatic restarts.
• Track the GitHub security advisory and release notes to confirm the fix is present in your build and packaging channel.

Evidence notes

This debrief is based on the supplied CVE description and the referenced GitHub advisory, issue, commit, and 0.24.11 release. The CVE was published on 2026-05-19. NVD metadata identifies the weakness as CWE-476 and assigns CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied source also states the issue is fixed in 0.24.11 and affects versions 0.24.10 and below.

Official resources