{"id":"CVE-2026-32134","summary":"NanoMQ: NULL Pointer Dereference Crash in tcptran_pipe_peer During Session Restore","details":"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe-\u003esubinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe-\u003esubinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.","aliases":["GHSA-q36f-83mh-pcv2"],"modified":"2026-07-15T20:06:18.444009Z","published":"2026-05-19T17:22:13.431Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-476"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32134.json"},"references":[{"type":"WEB","url":"https://github.com/nanomq/nanomq/releases/tag/0.24.11"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32134.json"},{"type":"ADVISORY","url":"https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32134"},{"type":"REPORT","url":"https://github.com/nanomq/nanomq/issues/2241"},{"type":"FIX","url":"https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nanomq/nanomq","events":[{"introduced":"0"},{"fixed":"69a97b3b39cc218f044f1c8896f4d3d8757bb394"}],"database_specific":{"source":"REFERENCES"}},{"type":"GIT","repo":"https://github.com/nanomq/nanonng","events":[{"introduced":"0"},{"fixed":"522ec62e29e60d1122f2aedaa6e702dcf089f7bb"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.24.11"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["0.24.10","0.24.9","0.24.8","0.24.7","0.24.6","0.24.5","0.24.4","0.24.3-5","0.24.3","0.24.2","0.24.1","0.24.0","0.23.10","0.23.9","0.23.8","0.23.7-11","0.23.7","0.23.6","0.23.5","0.23.4","0.23.3","0.23.2","0.23.1","0.23.0","0.22.10","0.22.8","0.22.7","0.22.6","0.22.2","0.22.3","0.22.1","0.22.0","0.21.10","0.21.9","0.21.8","0.21.7","0.21.6","0.21.5","0.21.2","0.21.1","0.21","0.20.8","0.20.6","0.20.5","0.20.0","0.19.5","0.19.1","0.19.0","0.18.2","0.18.1","0.17.8","0.17.5","0.17.2","0.16.5","0.16.3","0.16.2","0.16.0","0.15.5","0.15.3","0.15.2","0.15.1","0.15.0","0.14.8","0.14.5","0.12.1","0.14.1","0.14.0","0.13.8","0.13.6","0.13.0","0.12.5","0.12.2","0.12.0","0.11.82","0.11.8","0.11.5","0.11.3","0.11.2","0.11.0","0.10.8","0.10.5","0.10.1","0.9.7","0.9.5","0.9.2","0.9.0","0.8.6log","0.8.5","0.8.3","0.8.0","0.7.9","0.7.8","0.7.5","0.7.5rc","0.7.4rc","0.7.4","0.7.3","0.7.2","0.6.8","0.7.0","0.6.7rc","0.6.4","0.6.3","0.6.2","0.6.0","0.5.9","0.5.8","0.5.5","0.5.2","0.5.0","0.4.8","0.4.5","0.4.3","0.4.2","0.4.1","0.4.0","0.3.8","0.3.5","0.3.4","0.3.3","0.3.2","0.3.0","0.2.5","0.2.2","0.2.1","0.2.0","0.1.0","0.0.3","0.0.2","0.0.1","0.24.11-sdv","0.24.11","0.22.4","0.17.0","0.13.5","0.13"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32134.json","vanir_signatures_modified":"2026-07-15T20:06:18Z","vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["180359922795876309976203668572873068190","45691574311122879958817524065342053981","159405900866248680086371035076931463742","240762435158994077651166218649017100982","236677275678260574708412570684930228455","312863512122022797989787357053666054555","174123553900327680901554955736186249968"],"threshold":0.9},"id":"CVE-2026-32134-561521fc","signature_type":"Line","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb","target":{"file":"src/sp/transport/mqttws/nmq_websocket.c"}},{"target":{"file":"nanomq/rest_api.c","function":"URLDecoding"},"deprecated":false,"digest":{"function_hash":"9404688613459076675520313305819057131","length":400},"id":"CVE-2026-32134-6b8e96dc","signature_type":"Function","signature_version":"v1","source":"https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394"},{"deprecated":false,"digest":{"length":1345,"function_hash":"144153350689969700568933714407583495460"},"id":"CVE-2026-32134-7d7403d5","signature_type":"Function","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb","target":{"file":"src/sp/transport/mqtts/broker_tls.c","function":"tlstran_pipe_peer"}},{"source":"https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394","target":{"file":"nanomq/rest_api.c"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["314939031063357473425211000091759825555","79922476334093433481878188188230999595","115263727495026806456280480745001946541","335218920824431505626218604016560156406","109158426613458411923007034979039306216","263681326533205234187064883824333311768","139441057993715914564204102246260204056","163275836091019848639868326419883599422","232121921634077527089748850232063524540","137394070370141786835294877511344983945","309685692115858805372826425817723344625","180388931056228509517262893763708737544","253428475422003770740128093206280066637","83550170779872102422996397850477648840","157313739316912141087249248541460484873","125769424802170566273063628751569605473","168414094773912658563452953649189013304","332362556983238829505363368071561531910","139080809027202171145826152883316190111","74558128130252978070217973971791797169","57183551417306817156709030268492486682","188941984843814473912361960001297154924","34506272294443398337174980782299368690","293093021700596718330870323291220891427","218751175568408722690396640046618194911","264659906953652634920202064776704951932","183224120377393872789845349723215242491","192835487626449624614785956582916206428","151761993079419734514314841474824734052","209483360540906363404199890844243360425","259839083518275882442824479080929806326","165164928652970171162734450120824360205","342063255244962909075184816900792588","250741181287203539435992289254546992053","240888907075867659452765873170276375840"]},"id":"CVE-2026-32134-845bbb84","signature_type":"Line","signature_version":"v1"},{"target":{"file":"src/sp/transport/mqtts/broker_tls.c"},"deprecated":false,"digest":{"line_hashes":["256232385624735259090518377375737112227","316465675479941423688724540639015627202","159405900866248680086371035076931463742","240762435158994077651166218649017100982","236677275678260574708412570684930228455","312863512122022797989787357053666054555","174123553900327680901554955736186249968"],"threshold":0.9},"id":"CVE-2026-32134-877ec63c","signature_type":"Line","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb"},{"deprecated":false,"digest":{"function_hash":"144153350689969700568933714407583495460","length":1345},"id":"CVE-2026-32134-88763801","signature_type":"Function","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb","target":{"file":"src/sp/transport/mqtt/broker_tcp.c","function":"tcptran_pipe_peer"}},{"target":{"file":"src/sp/transport/mqttws/nmq_websocket.c","function":"wstran_pipe_peer"},"deprecated":false,"digest":{"function_hash":"293477401416401812591338456530771573354","length":1377},"id":"CVE-2026-32134-8e485b5d","signature_type":"Function","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb"},{"deprecated":false,"digest":{"function_hash":"5795522914121648582782519407379809587","length":8677},"id":"CVE-2026-32134-dc67de60","signature_type":"Function","signature_version":"v1","source":"https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394","target":{"file":"nanomq/rest_api.c","function":"process_request"}},{"id":"CVE-2026-32134-df61678f","signature_type":"Line","signature_version":"v1","source":"https://github.com/nanomq/nanonng/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb","target":{"file":"src/sp/transport/mqtt/broker_tcp.c"},"deprecated":false,"digest":{"line_hashes":["256232385624735259090518377375737112227","316465675479941423688724540639015627202","159405900866248680086371035076931463742","240762435158994077651166218649017100982","236677275678260574708412570684930228455","312863512122022797989787357053666054555","174123553900327680901554955736186249968"],"threshold":0.9}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}