We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-8376

Memory leak



Description

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Reserved 2024-09-02 | Published 2024-10-11 | Updated 2024-10-31 | Assigner eclipse


HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-401 Missing Release of Memory after Effective Lifetime

CWE-416 Use After Free

CWE-755 Improper Handling of Exceptional Conditions

Product status

Default status
unaffected

2.0.18
affected

2.0.19
unaffected

Credits

Roman Kraus (Fraunhofer FOKUS) finder

Steffen Lüdtke (Fraunhofer FOKUS) finder

Martin Schneider (Fraunhofer FOKUS) finder

Ramon Barakat (Fraunhofer FOKUS) finder

References

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/216 issue-tracking

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/217 issue-tracking

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/218 issue-tracking

gitlab.eclipse.org/...ity/vulnerability-reports/-/issues/227 issue-tracking

gitlab.eclipse.org/security/cve-assignement/-/issues/26 vendor-advisory

github.com/eclipse/mosquitto/releases/tag/v2.0.19 patch

mosquitto.org/ product

github.com/...ommit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17 patch

cve.org (CVE-2024-8376)

nvd.nist.gov (CVE-2024-8376)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-8376

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.