SB2026062312 - Improper input validation in NanoMQ



SB2026062312 - Improper input validation in NanoMQ

Published: June 23, 2026

Security Bulletin ID SB2026062312
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Input validation error (CVE-ID: CVE-2026-35217)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause improper subscription handling.

The vulnerability exists due to improper input validation in nmq_subinfo_decode() in nng/src/sp/protocol/mqtt/mqtt_parser.c when processing MQTT v5 SUBSCRIBE packets with a missing final Subscription Options byte. A remote attacker can send a specially crafted SUBSCRIBE packet to cause improper subscription handling.

The malformed packet may be accepted and installed into internal subscription state even though the subscription entry is incomplete.


Remediation

Install update from vendor's website.