CVE-2026-32696
Published: 30 March 2026
Summary
CVE-2026-32696 is a low-severity NULL Pointer Dereference (CWE-476) vulnerability in Emqx Nanomq. Its CVSS base score is 3.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires applying the vendor patch (0.24.7) that fixes the NULL pointer dereference in auth_http.c:set_data().
Secure error handling prevents crashes by ensuring the broker does not call strlen() on NULL pointers when processing MQTT CONNECT packets without credentials under HTTP auth with placeholders.
Input validation of MQTT CONNECT packets checks for presence of username/password before substituting placeholders like %u/%P in HTTP requests, avoiding the NULL dereference.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in public-facing MQTT broker enables remote unauthenticated crash/DoS via crafted CONNECT packet (T1190 for exploitation of exposed app; T1499.004 for endpoint DoS via direct vuln exploitation).
NVD Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u…
more
/ %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
Deeper analysisAI
CVE-2026-32696 is a NULL pointer dereference vulnerability (CWE-476) in the NanoMQ MQTT Broker, an edge messaging platform. It affects version 0.24.6 specifically when HTTP authentication (auth.http_auth) is enabled and configuration parameters use placeholders like %u for username and %P for password. During the HTTP request construction in auth_http.c:set_data(), an MQTT CONNECT packet without username or password triggers a strlen() call on a NULL pointer, resulting in a SIGSEGV crash.
A remote, unauthenticated attacker can exploit this by sending an MQTT CONNECT packet lacking credentials to the broker under the specified configuration. This leads to a denial-of-service condition via broker crash. The CVSS v3.1 base score of 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) reflects low severity, with high attack complexity and required user interaction.
The issue is addressed in NanoMQ version 0.24.7. Mitigation involves upgrading to the patched release, as detailed in the GitHub security advisory (GHSA-77f4-wvq8-mp3p), release notes, associated pull request (#1394), and commit (c20aa27e5290bb480a5315099952480d35f37a8b).
Details
- CWE(s)