CVE-2026-58210 in NATS Serverinfo

Summary

by MITRE • 07/08/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The NATS Server vulnerability represents a significant memory exhaustion flaw that affects the cloud and edge native messaging system's MQTT protocol implementation. This vulnerability specifically impacts versions prior to 2.14.3 and 2.12.12, creating a persistent denial of service condition where unauthenticated clients can manipulate server resources through malformed MQTT CONNECT packets. The issue stems from the server's handling of incomplete packet processing without proper authentication verification, allowing malicious actors to consume excessive memory resources while the parser awaits complete packet data.

The technical flaw manifests when an unauthenticated MQTT client establishes a connection and sends an incomplete CONNECT packet that advertises a larger payload size than actually transmitted. This creates a memory allocation scenario where the NATS Server reserves memory space for what it believes is a large packet but never receives the complete data. The parser remains in a waiting state indefinitely, consuming server resources and potentially leading to memory exhaustion across multiple connections. This vulnerability directly maps to CWE-400, which addresses unspecified resource management issues in software systems, particularly concerning memory allocation and deallocation without proper bounds checking.

The operational impact of this vulnerability extends beyond simple resource consumption, creating potential service disruption and system instability for organizations relying on NATS Server implementations. Attackers can leverage this weakness to launch denial of service attacks by establishing multiple connections with incomplete packets, gradually consuming all available memory resources. This scenario particularly affects environments where NATS Server operates in high-throughput scenarios or where resource constraints are already tight. The vulnerability also creates opportunities for attackers to exploit system stability through resource exhaustion, potentially causing cascading failures in dependent services that rely on the messaging infrastructure.

Security practitioners should prioritize patching affected NATS Server deployments to versions 2.14.3 and 2.12.12, which implement proper packet validation and authentication requirements before memory allocation occurs. Network monitoring should include detection of unusual memory consumption patterns and connection establishment behavior that might indicate exploitation attempts. Additionally, implementing rate limiting and connection throttling mechanisms can provide additional defense-in-depth measures against this specific attack vector. The fix addresses the root cause by requiring proper authentication before processing MQTT CONNECT packets, preventing unauthorized clients from triggering memory allocation for incomplete data. Organizations should also consider implementing MQTT protocol compliance checking and monitoring for malformed packet sequences that could indicate exploitation attempts, aligning with ATT&CK technique T1499.004 for resource exhaustion attacks.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!