ZeroMQ libzmq Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability


In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.


The information has been provided by Fang-Pen Lin

The original article can be found at:


ZeroMQ is prone to a remote stack-based buffer-overflow vulnerability.Attackers can exploit this issue to cause denial-of-service conditions. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed.

Vulnerable Systems:
ZeroMQ 4.0.5
ZeroMQ 4.0.4
ZeroMQ 4.3.1
ZeroMQ 4.3.0
ZeroMQ 4.1.6
ZeroMQ 4.1.5
ZeroMQ 4.1.0 Rc1

CVE Information:


Disclosure Timeline:
Published Date:07/16/2019