VDB

ALPINE-CVE-2023-28366

ALPINE-CVE-2023-28366 PUBLISHED CVSS 7.5 HIGH

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Alpine:v3.24mosquitto1.3.2
Alpine:v3.22mosquitto1.3.2, 2.0.9-r1, 2.0.9-r0
Alpine:v3.21mosquitto1.2.2-r0, 1.3.2, 2.0.9-r1
Alpine:v3.19mosquitto1.2.2-r0, 1.3.2, 2.0.9-r1
Alpine:v3.18mosquitto1.3.2, 0, 1.2.2-r0
Alpine:v3.20mosquitto1.6.10-r0, 1.3.2, 2.0.9-r1
Alpine:v3.23mosquitto1.2.2-r0, 1.2.2-r1, 1.2.3-r0

Timeline

  • Sep 1, 2023 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›