PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45151 nanomq CVE debrief

A null pointer dereference vulnerability exists in NanoMQ MQTT Broker versions 0.24.8 and earlier. The flaw occurs in the `quic_stream_recv` function when a QUIC substream is in a reopen state, causing the code to dereference a null substream pointer. While the function finishes the asynchronous I/O operation with an error, it fails to return before attempting to lock `c->mtx`, leading to potential undefined behavior. The CVSS 4.0 score of 2.9 (Low severity) reflects the attack complexity requirements and limited availability impact. The vulnerability is classified as CWE-476 (NULL Pointer Dereference). No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
nanomq
Product
Unknown
CVSS
LOW 2.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running NanoMQ MQTT Broker 0.24.8 or earlier for IoT or edge messaging infrastructure, particularly those exposing QUIC-enabled MQTT services to untrusted networks.

Technical summary

The vulnerability exists in the QUIC stream receive handling code of NanoMQ. When a substream enters a reopen state, the `quic_stream_recv` function may encounter a null substream pointer. The error handling path completes the AIO with an error status but proceeds to mutex lock operations without proper return, creating a race condition or crash scenario. The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L) indicates network accessibility with high attack complexity and low availability impact.

Defensive priority

low

Recommended defensive actions

  • Upgrade NanoMQ MQTT Broker to a version newer than 0.24.8 when available
  • Monitor NanoMQ GitHub repository for security patches addressing GHSA-9qhf-wgp4-p7w5
  • Review QUIC stream handling code in custom NanoMQ deployments for similar null pointer patterns
  • Implement network segmentation to limit exposure of MQTT broker services
  • Enable crash monitoring and logging to detect potential null pointer dereference attempts

Evidence notes

Vulnerability description and technical details sourced from NVD record and GitHub Security Advisory. CVSS 4.0 vector confirms network attack vector with high attack complexity. Vendor attribution to NanoMQ project based on GitHub advisory reference.

Official resources

2026-05-29