Nixpkgs security tracker

Permalink CVE-2026-45151

2.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 3 weeks, 1 day ago Activity log

Created suggestion 3 weeks, 1 day ago

NanoMQ: NULL Pointer Dereference

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-9qhf-wgp4-p7w5 x_refsource_CONFIRM

Affected products

nanomq

==<= 0.24.8

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Permalink CVE-2026-44640

4.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 3 weeks, 1 day ago Activity log

Created suggestion 3 weeks, 1 day ago

NanoMQ: QUIC Dialer Close Type Confusion

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-9fgw-v323-jmjj x_refsource_CONFIRMexploit
https://github.com/nanomq/nanomq/releases/tag/0.24.14 x_refsource_MISC

Affected products

nanomq

==< 0.24.14

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Permalink CVE-2026-32134

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 1 month ago Activity log

Created suggestion 1 month ago

NanoMQ: NULL Pointer Dereference Crash in tcptran_pipe_peer During Session Restore

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2 x_refsource_CONFIRMexploit
https://github.com/nanomq/nanomq/issues/2241 exploitx_refsource_MISC
https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb x_refsource_MISC
https://github.com/nanomq/nanomq/releases/tag/0.24.11 x_refsource_MISC

Affected products

nanomq

==< 0.24.11

NanoNNG

==< 0.24.11

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Permalink CVE-2026-34608

4.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_Parse OOB Read

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-8p57-jxj9-3qq3 x_refsource_CONFIRM
https://github.com/nanomq/nanomq/commit/9499a4b2c47998a6aadb69238c18b9e6771b1691 x_refsource_MISC
https://github.com/nanomq/nanomq/releases/tag/0.24.10 x_refsource_MISC

Affected products

nanomq

==< 0.24.10

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Permalink CVE-2026-21888

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 3 months, 1 week ago Activity log

Created suggestion 3 months, 1 week ago

MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5 x_refsource_CONFIRM
https://github.com/nanomq/nanomq/issues/2192 x_refsource_MISC

Affected products

nanomq

==<= 0.24.6

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.10
- nixpkgs-unstable 0.24.10
- nixos-unstable-small 0.24.10

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers