CVE-2024-8376

HIGH

Eclipse Mosquitto <2.0.18a - Use After Free

Title source: llm

Description

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

References (8)

[Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216

[Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217

[Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218

[Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227

[Issue Tracking] https://gitlab.eclipse.org/security/cve-assignement/-/issues/26

[Patch, Product] https://github.com/eclipse/mosquitto/releases/tag/v2.0.19

[Product] https://mosquitto.org/

[Patch] https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-755 CWE-401 CWE-416

Status published

Products (1)

eclipse/mosquitto < 2.0.19

Published Oct 11, 2024

Tracked Since Feb 18, 2026