CVE-2024-8376

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Credits

Roman Kraus (Fraunhofer FOKUS)
Steffen Lüdtke (Fraunhofer FOKUS)
Martin Schneider (Fraunhofer FOKUS)
Ramon Barakat (Fraunhofer FOKUS)

References