DescriptionIn Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs953049

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qtwebsockets-opensource-src (PTS)buster5.11.3-5vulnerable
bookworm, sid5.15.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - qtwebsockets-opensource-src <ignored> (Minor issue, fix adds new API only)
[stretch] - qtwebsockets-opensource-src <ignored> (Minor issue)
[jessie] - qtwebsockets-opensource-src <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems