CVE-2026-44640

MEDIUM 4.5

NanoMQ: QUIC Dialer Close Type Confusion

CVSS Score

4.5

EPSS Score

0.0%

EPSS Percentile

0th

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.

CWE	CWE-843
Vendor	nanomq
Product	nanomq
Published	May 29, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for nanomq nanomq

Be the first to know when new medium vulnerabilities affecting nanomq nanomq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

nanomq / nanomq

< 0.24.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nanomq/nanomq/security/advisories/GHSA-9fgw-v323-jmjj github.com: https://github.com/nanomq/nanomq/releases/tag/0.24.14