CVE-2021-28166

Name of the Vulnerable Software and Affected Versions: Eclipse Mosquitto versions 2.0.0 through 2.0.9

Description: The issue occurs when an authenticated client connected with MQTT v5 sends a crafted CONNACK message to the broker, resulting in a NULL pointer dereference.

Recommendations: For Eclipse Mosquitto versions 2.0.0 through 2.0.9, consider restricting the use of MQTT v5 connections until a patch is available. As a temporary workaround, avoid allowing clients to send crafted CONNACK messages to the broker. At the moment, there is no information about a newer version that contains a fix for this vulnerability.