CVE-2019-13132
Description
A buffer overflow in ZeroMQ's CURVE authentication allows remote unauthenticated attackers to cause a stack overflow and potentially execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in ZeroMQ's CURVE authentication allows remote unauthenticated attackers to cause a stack overflow and potentially execute arbitrary code.
Vulnerability
A buffer overflow exists in the ZeroMQ library (libzmq) when processing CURVE encryption handshakes. The flaw resides in the curve_server.cpp code path that handles incoming client hello messages. A remote, unauthenticated client can send a specially crafted packet that overflows a fixed-size stack buffer, overwriting the stack with attacker-controlled data. All versions from 4.0.0 up to but not including 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2 are affected [3].
Exploitation
An attacker needs only network access to a libzmq application that listens with CURVE encryption/authentication enabled. No prior authentication or user interaction is required. The attacker sends a malicious CURVE handshake message that triggers the buffer overflow, allowing them to overwrite the stack with arbitrary data [2][3].
Impact
Successful exploitation results in a stack overflow, which can cause a denial of service (crash) or, with careful crafting, arbitrary code execution at the privilege level of the vulnerable process. The CVSS v3 score is 9.8 (Critical) [2][3].
Mitigation
Upgrade to a fixed version: 4.0.9, 4.1.7, or 4.3.2 (or any later release such as 4.3.5) [1][3]. No workarounds are available; users running public servers with CURVE encryption enabled are strongly advised to upgrade immediately [3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19- ZeroMQ/libzmqdescription
- osv-coords17 versionspkg:rpm/opensuse/zeromq&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/zeromq&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/zeromq&distro=openSUSE%20Tumbleweedpkg:rpm/suse/zeromq&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/zeromq&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2012%20SP2pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-CLIENT-TOOLSpkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-CLIENT-TOOLSpkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/zeromq&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/zeromq&distro=SUSE%20Manager%20Proxy%203.2pkg:rpm/suse/zeromq&distro=SUSE%20Manager%20Server%203.2
< 4.2.3-lp151.5.3.1+ 16 more
- (no CPE)range: < 4.2.3-lp151.5.3.1
- (no CPE)range: < 4.2.3-lp151.5.3.1
- (no CPE)range: < 4.3.4-2.2
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.2.3-3.8.1
- (no CPE)range: < 4.2.3-3.8.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-3.3.1
- (no CPE)range: < 4.0.4-3.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
- (no CPE)range: < 4.0.4-15.3.1
Patches
3a84ffa12b2ebFinalize changelog for 4.3.2
1 file changed · +1 −1
NEWS+1 −1 modified@@ -1,4 +1,4 @@ -0MQ version 4.3.2 stable, released on 20xx/xx/xx +0MQ version 4.3.2 stable, released on 2019/07/08 ================================================ * CVE-2019-13132: a remote, unauthenticated client connecting to a
28625e3479a9Finalize NEWS and ABI revision for 4.0.9
2 files changed · +3 −2
configure.ac+2 −1 modified@@ -31,9 +31,10 @@ AC_SUBST(PACKAGE_VERSION) # ZeroMQ version 3.1: 3:0:0 (ABI version 3) # ZeroMQ version 4.0: 4:0:0 (ABI version 4) # ZeroMQ version 4.0.8: 4:1:0 (ABI version 4) +# ZeroMQ version 4.0.9: 4:2:0 (ABI version 4) # # libzmq -version-info current:revision:age -LTVER="4:1:0" +LTVER="4:2:0" AC_SUBST(LTVER) # Take a copy of original flags
NEWS+1 −1 modified@@ -1,4 +1,4 @@ -0MQ version 4.0.9 stable, released on 2016/xx/xx +0MQ version 4.0.9 stable, released on 2019/07/08 ================================================ * CVE-2019-13132: a remote, unauthenticated client connecting to a
c9894a493dd4Finalize NEWS and bump ABI revision for 4.1.7
2 files changed · +3 −2
configure.ac+2 −1 modified@@ -34,9 +34,10 @@ AC_SUBST(PACKAGE_VERSION) # ZeroMQ version 4.1: 5:0:0 (ABI version 5) # ZeroMQ version 4.1.5: 5:1:0 (ABI version 5) # ZeroMQ version 4.1.6: 5:2:0 (ABI version 5) +# ZeroMQ version 4.1.7: 5:3:0 (ABI version 5) # # libzmq -version-info current:revision:age -LTVER="5:2:0" +LTVER="5:3:0" AC_SUBST(LTVER) # Take a copy of original flags
NEWS+1 −1 modified@@ -1,4 +1,4 @@ -0MQ version 4.1.7 stable, released on 20xx/xx/xx +0MQ version 4.1.7 stable, released on 2019/07/08 ================================================ * CVE-2019-13132: a remote, unauthenticated client connecting to a
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.htmlmitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVCTNUEOFFZUNJOXFCYCF3C6Y6NDILI3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MK7SJYDJ7MMRRRPCUN3SCSE7YK6ZSHVS/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6HINI24SL7CU6XIJWUOSGTZWEFOOL7X/mitrevendor-advisory
- security.gentoo.org/glsa/201908-17mitrevendor-advisory
- usn.ubuntu.com/4050-1/mitrevendor-advisory
- www.debian.org/security/2019/dsa-4477mitrevendor-advisory
- www.openwall.com/lists/oss-security/2019/07/08/6mitremailing-list
- www.securityfocus.com/bid/109284mitrevdb-entry
- lists.debian.org/debian-lts-announce/2019/07/msg00007.htmlmitremailing-list
- seclists.org/bugtraq/2019/Jul/13mitremailing-list
- fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-security-vulnerability-in-zeromq-with-mostly-pure-luck/mitre
- github.com/zeromq/libzmq/issues/3558mitre
- github.com/zeromq/libzmq/releasesmitre
- news.ycombinator.com/itemmitre
News mentions
0No linked articles in our index yet.