ELA-1536-1 mosquitto security update

out-of-bounds memory access

2025-10-07
Packagemosquitto
Version1.5.7-1+deb10u2 (buster)
Related CVEs CVE-2024-10525


CVE-2024-10525

If a malicious broker sends a crafted SUBACK packet with no reason codes, a
client using libmosquitto may make out of bounds memory access when acting in
its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr
clients.


For Debian 10 buster, these problems have been fixed in version 1.5.7-1+deb10u2.

We recommend that you upgrade your mosquitto packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.