CVE-2023-28366: 
NixOS vulnerability analysis and mitigation

The Eclipse Mosquitto broker versions 1.3.2 through 2.x before 2.0.16 contains a memory leak vulnerability identified as CVE-2023-28366. The vulnerability was discovered on March 6, 2023, by Mischa Bachmann and was fixed in version 2.0.16 released on August 16, 2023. The issue affects the broker component of the MQTT message broker system (Compass Advisory, Mosquitto Blog).

The vulnerability stems from improper handling of error codes generated by the libc send() function. Specifically, when an EAGAIN error code is returned, the control flow catches the error but returns a success to the calling function, bypassing the memory freeing process. This occurs when a client sends many QoS 2 messages with duplicate message IDs and fails to respond to PUBREC commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited remotely to cause a denial of service condition. Attackers can abuse this behavior by transmitting a large amount of network packets of a particular type at a high rate, filling up the memory with unsent packages and eventually exhausting the system's resources (Compass Advisory).

The recommended mitigation is to upgrade to Eclipse Mosquitto version 2.0.16 or later, which contains the fix for this vulnerability. The fix was implemented through a patch that properly handles the EAGAIN error code from the libc send function (Mosquitto Blog, Compass Advisory).

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Debian (DSA-5511-1), Fedora, and Gentoo. The vulnerability has been treated as a high-priority security issue, leading to rapid patch adoption across different platforms (Debian Security, Gentoo Security).