Input validation error in NanoMQ - CVE-2026-35217
Published: June 23, 2026
NanoMQ
Detailed vulnerability description
The vulnerability allows a remote attacker to cause improper subscription handling.
The vulnerability exists due to improper input validation in nmq_subinfo_decode() in nng/src/sp/protocol/mqtt/mqtt_parser.c when processing MQTT v5 SUBSCRIBE packets with a missing final Subscription Options byte. A remote attacker can send a specially crafted SUBSCRIBE packet to cause improper subscription handling.
The malformed packet may be accepted and installed into internal subscription state even though the subscription entry is incomplete.