CVE-2025-11680

NameCVE-2025-11680
DescriptionOut-of-bounds Write in unfilter_scanline in warmcat libwebsockets allows, when the LWS_WITH_UPNG flag is enabled during compilation and the HTML display stack is used, to write past a heap allocated buffer possibly causing a crash, when the user visits an attacker controlled website that contains a crafted PNG file with a big width value that causes an integer overflow which value is used for determining the size of a heap allocation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libwebsockets (PTS)bullseye4.0.20-2fixed
bullseye (security)4.0.20-2+deb11u1fixed
bookworm4.1.6-3fixed
trixie4.3.5-1+deb13u1fixed
forky, sid4.3.5-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libwebsocketssource(unstable)(not affected)

Notes

- libwebsockets <not-affected> (Vulnerable code introduced in 4.4.0)
Introduced in: https://libwebsockets.org/git/libwebsockets/commit?id=48907fca0a25c39ce35692c527cb8aa82ee60d85 (v4.4.0)
Fixed in: https://libwebsockets.org/git/libwebsockets/commit?id=2b715249f39291c86443b969a1088d59b6a89b78
Search for package or bug name: Reporting problems