CVE-2026-36590
Summary
by MITRE • 07/16/2026
An issue in EMQ NanoMQ v.0.24.9 allows a remote attacker to cause a denial of service via the nni_qos_db_set function in broker_tcp.c component
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability identified in EMQ NanoMQ version 0.24.9 represents a critical denial of service condition that can be exploited by remote attackers through manipulation of the nni_qos_db_set function within the broker_tcp.c component. This issue stems from inadequate input validation and memory management practices within the Quality of Service database handling mechanism, which forms a fundamental part of the MQTT broker's message delivery assurance system. The vulnerability specifically targets the TCP broker implementation where QoS level 1 and 2 message acknowledgments are processed, creating an opportunity for attackers to disrupt normal service operations without requiring authentication or elevated privileges.
The technical flaw manifests when the nni_qos_db_set function receives malformed or crafted input data that causes unexpected behavior in the underlying database management system. This function is responsible for storing and managing QoS state information for published messages, particularly those requiring guaranteed delivery mechanisms. When processing incoming MQTT packets with maliciously constructed QoS parameters or sequence numbers, the function fails to properly validate the input boundaries, leading to potential buffer overflows, memory corruption, or resource exhaustion conditions. The vulnerability operates at the protocol implementation level where the broker handles message state transitions and acknowledgment tracking, making it particularly dangerous as it can affect core messaging functionality.
The operational impact of this denial of service vulnerability extends beyond simple service disruption to potentially compromise the reliability and availability of MQTT-based communication systems that depend on NanoMQ for message brokering. Attackers can exploit this weakness by sending specially crafted MQTT messages that trigger the vulnerable code path, causing the broker process to crash, become unresponsive, or consume excessive system resources. In production environments where NanoMQ serves as a critical messaging infrastructure component, such an attack could result in significant downtime, data loss, or cascading failures across dependent services that rely on message delivery guarantees. The vulnerability is particularly concerning for industrial IoT deployments, smart city applications, and enterprise messaging systems where continuous availability is paramount.
Mitigation strategies for this vulnerability should include immediate deployment of patches provided by EMQX developers or applying custom fixes that enhance input validation within the nni_qos_db_set function. System administrators should implement network-level protections such as rate limiting and connection throttling to reduce the impact of potential attacks, while also monitoring for unusual patterns in QoS message handling that might indicate exploitation attempts. The vulnerability aligns with CWE-129 Input Validation and Output Formatting category, specifically addressing improper validation of input boundaries and insufficient bounds checking. From an ATT&CK framework perspective, this represents a denial of service attack using protocol manipulation techniques under the T1499 technique category for network denial of service. Organizations should also consider implementing intrusion detection systems that monitor for anomalous QoS database operations and establish incident response procedures specifically addressing MQTT broker availability issues to minimize operational impact during exploitation attempts.