CVE-2021-20237
Description
ZeroMQ before 4.3.3 leaks memory on PUB sockets when processing messages with metadata if CURVE/ZAP authentication is disabled, enabling DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ZeroMQ before 4.3.3 leaks memory on PUB sockets when processing messages with metadata if CURVE/ZAP authentication is disabled, enabling DoS.
Vulnerability
An uncontrolled resource consumption (memory leak) flaw exists in ZeroMQ's src/xpub.cpp in versions before 4.3.3. When the server disables CURVE/ZAP authentication, a remote unauthenticated attacker can send crafted PUB messages containing metadata. The metadata is never processed by PUB sockets but remains referenced in the PUB object and is never freed, leading to a memory leak [1][2].
Exploitation
An attacker needs network access to a ZeroMQ PUB server that has CURVE/ZAP authentication disabled. No authentication or prior knowledge is required. The attacker sends specially crafted PUB messages (e.g., the fuzz input shown in [2]) that include metadata fields. Each such message causes the server to allocate and retain metadata, progressively consuming memory without bounds [1][2].
Impact
Successful exploitation leads to memory exhaustion on the server, resulting in a denial of service (DoS) due to system unavailability. The server may slow down, become unresponsive, or crash. The integrity and confidentiality of data are not directly compromised [1][2].
Mitigation
The fix is included in ZeroMQ version 4.3.3 (commit #3935) [1][2]. Users should upgrade to 4.3.3 or later. For package-specific updates, Red Hat and Fedora have released patches (e.g., FEDORA-2021-8b3202b783) [1]. No workaround is available if the server must accept unauthenticated connections; enabling CURVE/ZAP authentication prevents exploitation by blocking unauthenticated clients [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
204f5bbedee58Finalize changelog for 4.3.3
1 file changed · +1 −1
NEWS+1 −1 modified@@ -1,4 +1,4 @@ -0MQ version 4.3.x stable, released on 20xx/xx/xx +0MQ version 4.3.3 stable, released on 2020/09/07 ================================================ * Security advisories:
c95f7d09338fMerge pull request #3935 from bluca/fuzzers
1 file changed · +9 −2
src/xpub.cpp+9 −2 modified@@ -59,6 +59,11 @@ zmq::xpub_t::xpub_t (class ctx_t *parent_, uint32_t tid_, int sid_) : zmq::xpub_t::~xpub_t () { _welcome_msg.close (); + for (std::deque<metadata_t *>::iterator it = _pending_metadata.begin (), + end = _pending_metadata.end (); + it != end; ++it) + if (*it && (*it)->drop_ref ()) + LIBZMQ_DELETE (*it); } void zmq::xpub_t::xattach_pipe (pipe_t *pipe_, @@ -126,8 +131,10 @@ void zmq::xpub_t::xread_activated (pipe_t *pipe_) _process_subscribe = !_only_first_subscribe || is_subscribe_or_cancel; - if (!is_subscribe_or_cancel) { - // Process user message coming upstream from xsub socket + if (!is_subscribe_or_cancel && options.type != ZMQ_PUB) { + // Process user message coming upstream from xsub socket, + // but not if the type is PUB, which never processes user + // messages _pending_data.push_back (blob_t (msg_data, msg.size ())); if (metadata) metadata->add_ref ();
Vulnerability mechanics
Root cause
"Missing cleanup of pending metadata references in XPUB socket destructor and incorrect processing of user messages on PUB-type sockets leads to memory leaks."
Attack vector
A remote unauthenticated attacker can send crafted PUB messages to a ZeroMQ server that has CURVE/ZAP authentication disabled. When the server receives these messages via an XPUB socket, the `xread_activated()` function in `src/xpub.cpp` [patch_id=2271415] processes user messages even for `ZMQ_PUB` type sockets, which should never do so. Each processed message adds a metadata reference to `_pending_metadata` without proper cleanup, causing uncontrolled memory consumption. The attacker can sustain the attack to exhaust server memory, resulting in a denial of service.
Affected code
The vulnerability is in `src/xpub.cpp` in the ZeroMQ library. The destructor `~xpub_t()` was missing cleanup of the `_pending_metadata` deque, causing memory leaks when pending metadata entries were not freed. Additionally, the `xread_activated()` function processed user messages for `ZMQ_PUB` type sockets, which should never process user messages, leading to leaked metadata references.
What the fix does
The fix in commit `c95f7d09338f946fc2b912d7938e77af258b4a0c` [patch_id=2271415] addresses two issues. First, the `~xpub_t()` destructor now iterates over `_pending_metadata` and drops references for each entry, preventing memory leaks on socket destruction. Second, the `xread_activated()` function adds a check `options.type != ZMQ_PUB` so that `ZMQ_PUB` sockets no longer process user messages, preventing the accumulation of leaked metadata references during operation. The changelog update in commit `04f5bbedee58c538934374dc45182d8fc5926fa3` [patch_id=2271414] marks version 4.3.3 as the release containing the security fix.
Preconditions
- configCURVE/ZAP authentication must be disabled on the server
- networkAttacker must have network access to send PUB messages to the server
- configServer must be running a version of ZeroMQ before 4.3.3
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxwmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.