Input validation error in NanoMQ - CVE-2026-35217

 

Input validation error in NanoMQ - CVE-2026-35217

Published: June 23, 2026


Vulnerability identifier: #VU135038
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35217
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: NanoMQ
Affected software:
NanoMQ

Detailed vulnerability description

The vulnerability allows a remote attacker to cause improper subscription handling.

The vulnerability exists due to improper input validation in nmq_subinfo_decode() in nng/src/sp/protocol/mqtt/mqtt_parser.c when processing MQTT v5 SUBSCRIBE packets with a missing final Subscription Options byte. A remote attacker can send a specially crafted SUBSCRIBE packet to cause improper subscription handling.

The malformed packet may be accepted and installed into internal subscription state even though the subscription entry is incomplete.


How to mitigate CVE-2026-35217

Install security update from vendor's website.

Sources