SB2026062312 - Improper input validation in NanoMQ
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2026-35217)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause improper subscription handling.
The vulnerability exists due to improper input validation in nmq_subinfo_decode() in nng/src/sp/protocol/mqtt/mqtt_parser.c when processing MQTT v5 SUBSCRIBE packets with a missing final Subscription Options byte. A remote attacker can send a specially crafted SUBSCRIBE packet to cause improper subscription handling.
The malformed packet may be accepted and installed into internal subscription state even though the subscription entry is incomplete.
Remediation
Install update from vendor's website.