CVE-2025-11234

NameCVE-2025-11234
DescriptionA flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1117153

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)bullseye1:5.2+dfsg-11+deb11u3vulnerable
bullseye (security)1:5.2+dfsg-11+deb11u5vulnerable
bookworm1:7.2+dfsg-7+deb12u16vulnerable
bookworm (security)1:7.2+dfsg-7+deb12u15vulnerable
trixie1:10.0.3+ds-0+deb13u1vulnerable
trixie (security)1:10.0.2+ds-2+deb13u1vulnerable
forky, sid1:10.1.0+ds-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)(unfixed)1117153

Notes

https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
Search for package or bug name: Reporting problems