Eclipse Mosquitto 2.0.18a: heap-use-after-free via crafted MQTT packets
CVE-2024-8376 Published on October 11, 2024
Memory leak
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Weakness Types
What is a Memory Leak Vulnerability?
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
CVE-2024-8376 has been classified to as a Memory Leak vulnerability or weakness.
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2024-8376 has been classified to as a Dangling pointer vulnerability or weakness.
Improper Handling of Exceptional Conditions
The software does not handle or incorrectly handles an exceptional condition.
Products Associated with CVE-2024-8376
Want to know whenever a new CVE is published for Eclipse Mosquitto? stack.watch will email you.
Affected Versions
Eclipse Foundation Mosquitto:- Version 2.0.18 is affected.
- Version 2.0.19 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.