CVE-2024-8376

moderate-risk

Published 2024-10-11

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Do I need to act?

0.29% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Mosquitto

Affected Vendors

Eclipse

References (8)

Patch https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbf...

Patch https://github.com/eclipse/mosquitto/releases/tag/v2.0.19

Issue Tracking https://gitlab.eclipse.org/security/cve-assignement/-/issues/26

Issue Tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216

Issue Tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217

Issue Tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218

Issue Tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227

Product https://mosquitto.org/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal