CVE-2025-11234

NameCVE-2025-11234
DescriptionA flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1117153

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)bullseye1:5.2+dfsg-11+deb11u3vulnerable
bullseye (security)1:5.2+dfsg-11+deb11u5vulnerable
bookworm1:7.2+dfsg-7+deb12u16vulnerable
bookworm (security)1:7.2+dfsg-7+deb12u15vulnerable
trixie1:10.0.6+ds-0+deb13u2vulnerable
trixie (security)1:10.0.2+ds-2+deb13u1vulnerable
forky1:10.1.2+ds-3vulnerable
sid1:10.2.0+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)1:10.1.3+ds-11117153

Notes

[trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9 (v10.2.0-rc1)
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/a2b7a95350c23b484543001734e1f22be6fe87f8 (v10.1.3)
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e21ef56b4b9213f8a86c5601b385b48f39339aba (v10.0.7)
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f (v7.2.22)
Search for package or bug name: Reporting problems