CVE-2019-13132

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

Published: Jul 10, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-13132
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
zeromq / libzmq	-	4.0.9
zeromq / libzmq	4.1.0	4.1.7
zeromq / libzmq	4.2.0	4.3.2
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	18.10	18.10.x
canonical / ubuntu_linux	19.04	19.04.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x

Vulnerability Database

308,485

CVE-2019-13132

Deep Security Visibility Without the Complexity