CVE-2024-8376

Oct. 31, 2024, 10:15 a.m.

Product(s) Impacted

Eclipse Mosquitto

up to 2.0.18a

Description

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Weaknesses

CWE-401

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

CWE ID: 401

Date

Published: Oct. 11, 2024, 4:15 p.m.

Last Modified: Oct. 31, 2024, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

emo@eclipse.org

References

https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17

emo@eclipse.org

https://github.com/eclipse/mosquitto/releases/tag/v2.0.19

emo@eclipse.org

https://gitlab.eclipse.org/security/cve-assignement/-/issues/26

emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216

emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217

emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218

emo@eclipse.org

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227

emo@eclipse.org

https://mosquitto.org/

emo@eclipse.org

CVE-2024-8376

Tags

Product(s) Impacted

Description

Weaknesses

CWE-401

Missing Release of Memory after Effective Lifetime

Date

Status : Awaiting Analysis

Source

References

Share