Cyber Posture

CVE-2026-21888

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 25.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21888 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Emqx Nanomq. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of public-facing MQTT broker via crafted packet triggers application crash/DoS via out-of-bounds read (CWE-125).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier.

Deeper analysisAI

CVE-2026-21888, published on 2026-03-11, is an out-of-bounds read vulnerability in the NanoMQ MQTT Broker, an all-around edge messaging platform. The issue resides in the MQTT v5 Variable Byte Integer parsing function get_var_integer(), which accepts 5-byte variable integers without bounds checks. This reliably triggers an out-of-bounds read and crash when the broker is built with AddressSanitizer (ASan). It affects NanoMQ versions 0.24.6 and earlier, carrying a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-125 (Out-of-bounds Read).

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. By sending a specially crafted MQTT v5 message with a malformed variable byte integer, an unauthenticated remote attacker can trigger the out-of-bounds read, causing the NanoMQ broker to crash and resulting in a denial-of-service condition due to high availability impact.

Mitigation details, including patches, are documented in the GitHub security advisory at https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5 and the related issue at https://github.com/nanomq/nanomq/issues/2192.

Details

CWE(s)
CWE-125

Affected Products

emqx
nanomq
≤ 0.24.6

CVEs Like This One

CVE-2026-25627Same product: Emqx Nanomq
CVE-2026-32696Same product: Emqx Nanomq
CVE-2024-48077Same product: Emqx Nanomq
CVE-2026-34608Same product: Emqx Nanomq
CVE-2026-32135Same product: Emqx Nanomq
CVE-2026-3622Shared CWE-125
CVE-2026-32319Shared CWE-125
CVE-2026-41604Shared CWE-125
CVE-2026-32877Shared CWE-125
CVE-2026-35203Shared CWE-125

References