A null pointer dereference vulnerability exists in NanoMQ MQTT Broker versions 0.24.8 and earlier. The flaw occurs in the `quic_stream_recv` function when a QUIC substream is in a reopen state, causing the code to dereference a null substream pointer. While the function finishes the asynchronous I/O operation with an error, it fails to return before attempting to lock `c->mtx`, leading to potential undefi [truncated]
A type confusion vulnerability in NanoMQ MQTT Broker prior to version 0.24.14 allows invalid object interpretation during dialer close operations. The issue stems from `aio->prov_data` being stored as `nni_quic_conn*` during dialing but read as `ex_quic_conn*` during dialer close, leading to potential hang or crash behavior on the close path. This vulnerability has a CVSS 3.1 score of 4.5 (MEDIUM severity [truncated]
CVE-2026-32134 is a remotely reachable denial-of-service issue in NanoMQ's MQTT broker. During high-concurrency reconnect traffic, a reconnect race can leave cached session metadata NULL while session resumption is restoring state for clean_start=0 clients. That can trigger a NULL pointer dereference in the transport peer callback and crash the broker process. The issue is fixed in NanoMQ 0.24.11.