CVE-2026-21888
Published: 11 March 2026
Summary
CVE-2026-21888 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Emqx Nanomq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21888, published on 2026-03-11, is an out-of-bounds read vulnerability in the NanoMQ MQTT Broker, an all-around edge messaging platform. The issue resides in the MQTT v5 Variable Byte Integer parsing function get_var_integer(), which accepts 5-byte variable integers without bounds checks. This reliably triggers an out-of-bounds read and crash when the broker is built with AddressSanitizer (ASan). It affects NanoMQ versions 0.24.6 and earlier, carrying a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-125 (Out-of-bounds Read).
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. By sending a specially crafted MQTT v5 message with a malformed variable byte integer, an unauthenticated remote attacker can trigger the out-of-bounds read, causing the NanoMQ broker to crash and resulting in a denial-of-service condition due to high availability impact.
Mitigation details, including patches, are documented in the GitHub security advisory at https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5 and the related issue at https://github.com/nanomq/nanomq/issues/2192.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11190
Vulnerability details
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing MQTT broker via crafted packet triggers application crash/DoS via out-of-bounds read (CWE-125).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the missing bounds checks in get_var_integer() by applying patches to prevent out-of-bounds reads and broker crashes.
Information input validation enforces bounds checking on MQTT v5 variable byte integers to block malformed inputs causing out-of-bounds reads.
Denial-of-service protection at MQTT broker entry points mitigates remote exploitation of crafted messages triggering crashes.