CVE-2024-8376 — Missing Release of Memory after Effective Lifetime in Mosquitto

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-416 — Use After Free CWE-755 — Improper Handling of Exceptional Conditions6 documents6 sources

Severity

7.2HIGHNVD

EPSS

0.3%

top 47.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mosquitto Eclipse Foundation Mosquitto

Timeline

PublishedOct 11

Description

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDeclipse/mosquitto< 2.0.19

▶Debianeclipse/mosquitto< 2.0.11-1.2+deb12u2+2

▶CVEListV5eclipse_foundation/mosquitto2.0.18

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-72qw-2vp3-gvg9: In Eclipse Mosquitto up to version 2↗2024-10-11

▶

OSV

CVE-2024-8376: In Eclipse Mosquitto up to version 2↗2024-10-11

▶

CVEList

Memory leak↗2024-10-11

▶

📋Vendor Advisories

Red Hat

mosquitto: sending specific sequences of packets may trigger memory leak↗2024-10-11

▶

Debian

CVE-2024-8376: mosquitto - In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaki...↗2024

▶