{"id":"CVE-2023-28366","details":"The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.","modified":"2026-04-16T00:08:35.819270336Z","published":"2023-09-01T16:15:07.790Z","related":["openSUSE-SU-2024:13546-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/"},{"type":"ADVISORY","url":"https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16"},{"type":"ADVISORY","url":"https://mosquitto.org/blog/2023/08/version-2-0-16-released/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-09"},{"type":"ADVISORY","url":"https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5511"},{"type":"FIX","url":"https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-mosquitto/mosquitto","events":[{"introduced":"aa86554592d0f647b81b13f2261de9e0a1db328b"},{"fixed":"9e0831b3ed87f9b9a60a01f74040a077f40946c4"},{"fixed":"6113eac95a9df634fbc858be542c4a0456bfe7b9"}],"database_specific":{"cpe":"cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"1.3.2"},{"fixed":"2.0.16"}]}}],"database_specific":{"vanir_signatures":[{"id":"CVE-2023-28366-18fe6b0d","digest":{"line_hashes":["185657097569852611019747651375616759342","209999690193844261600657640824575817910","262714375737707749729449280564698862210","113544244559198413476088767394824743019","267326251227741227197648920533818928064","258436533882721292395021596467209051712","38258990596941702244179043958296589558","119411380312742334604849879756551226859"],"threshold":0.9},"signature_type":"Line","target":{"file":"src/mosquitto_broker_internal.h"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-4041cf50","digest":{"length":449,"function_hash":"85713415389804966530401833418108576914"},"signature_type":"Function","deprecated":false,"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","target":{"file":"src/database.c","function":"db__message_store_find"}},{"id":"CVE-2023-28366-4453460c","digest":{"line_hashes":["85203686617921334122931309773104782963","23710556715149150766442125768545781868","210377574969576755433176658404951119394","204906490012894040605311080370175016273","51352871825099287746636005341958809218","245244588927891881347402652768491592215","54295819527118058986274638999235741974","58709611487170278350570706896418535961","188966278038212901259644039296422802172","121491130798754143747324310569218483875","168060610469975286238834495121271480872","243818753959484974924245613947040707726","297675887811281111375073487685650940132","246850466772222792007061566176411145115","77708104591149058527723804449298898991","123444508129672236059738110656937916737","142485415968948635100957916050997029583","130800659897187911907908921749501487661","36939496372981492002085358367676240982","250516870905248432996061988432922308808","287564889603778662247497187946842618330","155087356402055952260675224759308718474","275552698052329306921886093080860526025","338528681314502582076781088000297311081","16779954185988160979003386046327961021","218649294123002592778200418528830991825","273435754704731026736493754668513711278","60714744432978357492609945350922132610","235384048632786554176168446497430582357","108443995581779879963057415523552774923","54242442024042696381071677310349715624"],"threshold":0.9},"signature_type":"Line","target":{"file":"src/context.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-48c5accd","digest":{"line_hashes":["225965478467171857860656219612627121543","63721077317531796186912104735605219472","22148613686247422070126237315808800640","238133653920736806746653033640862334268"],"threshold":0.9},"signature_type":"Line","target":{"file":"lib/packet_mosq.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-4b0d7dea","digest":{"length":8123,"function_hash":"338417446044378657496509570798799570994"},"signature_type":"Function","target":{"function":"handle__publish","file":"src/handle_publish.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-525fc655","digest":{"length":3919,"function_hash":"222293763873296556295253402508700892342"},"signature_type":"Function","target":{"function":"db__message_insert","file":"src/database.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-60797d52","digest":{"length":1333,"function_hash":"231931202059463799750601680517501328194"},"signature_type":"Function","target":{"function":"context__cleanup","file":"src/context.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-6d125e39","digest":{"length":1103,"function_hash":"218124366995381517271089606604789197252"},"signature_type":"Function","deprecated":false,"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","target":{"file":"src/database.c","function":"db__message_reconnect_reset_incoming"}},{"id":"CVE-2023-28366-8ec8a4ad","digest":{"length":1021,"function_hash":"330822850778733328937627821807772393537"},"signature_type":"Function","target":{"function":"packet__queue","file":"lib/packet_mosq.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-9c2297e8","digest":{"line_hashes":["148439698011285391229640061018503430027","193884157198562109043756986446713071976","268003913166940693463062613495572534257","93470212933095506833207828998433787810","293107920441093381621252540661695309611","336532612033272413080647424215056336069","245924028653862352046537516774580852512","74417911621137080103795416538909655404","328075285344273315498438826831010426003","304469103496518714834391001078704961238","332587571481897972826159236719468804201","40450941149050339815895393838279785142","225955851564214513469217147877023588670","328105555249107538572249262310816041821","314480754195177696370134266832588423749","146211253344956192068600435308919490182","132914049417686246454038195254647643029","95806376992962230322255433018387416933","93837510039468956996497695731577358007","23677607537286836238448924762470603030","251222506798970475529777658928779129044","283223184173968883229575944683387597517","307764528710670872279970593473122935492","58628656801337995269213552703815642945","265926370144549717911044797555011939509","91832543265055739855786434351985934430","67465570707883692632569180673446647501","184166377919721310123633532536529351387","266469381569079615469150354937275797959","97309920803553867694542915966063473647","76559853429473989291511760230405249373","140462194964642300357372699844123312989","207719362532559643412451287535093255728","150686266850373025179799122922690869415","267328691234684908791127483306560718663","206185782990939382613289094370393296663","336006815494273437783699405605596333829","167547682325729722904831960139387663364","65229955881621229300816929559970842825"],"threshold":0.9},"signature_type":"Line","target":{"file":"src/handle_publish.c"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false},{"id":"CVE-2023-28366-ca260b6a","digest":{"line_hashes":["284678144602391982994741495688595127901","90062418651277654235375254877308322526","224031563416308138894487923223533272956","244599704645840444909880365514971371229","78662440587358656246339311389981312177","328063314687465075133178712133833691034","62673009183996010787818217947648658054","240263279487715468915157496214607161583","247437316759576094971340365246653075609","114218428937112973780808941413862499688","242220292696304958028714010603222851131","97079123716153341892737296187379036344","294716412097021236032413834554423723542","245920043064185822569838423269335786319","273659591907738510577578512014471303005","165259626786758636005208053484067052757","178959403323700001956541817957481877273","285119442359140001652079688237916066386","306062678102705011271277749035424012842","306319640997064409408073339233210381591","148390245304517491942904999764551877431","4702898437259336030350534267538890076","248589991316103867921190238552187422090","285119442359140001652079688237916066386","306062678102705011271277749035424012842","297272486308017044681635062932426071974","115232683780470693634812417872905333870","2301202664678743650681758272746296199","116566664999041821562625025468768441196","265586209421451058600815514989867795147","44861951891768416736155973252923372829"],"threshold":0.9},"signature_type":"Line","deprecated":false,"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","target":{"file":"src/database.c"}},{"id":"CVE-2023-28366-ca379b88","digest":{"length":1530,"function_hash":"138258085877140207332658078789223145234"},"signature_type":"Function","target":{"file":"src/context.c","function":"context__init"},"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","signature_version":"v1","deprecated":false}],"vanir_signatures_modified":"2026-04-12T08:15:18Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28366.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}