CVE-2026-10650

NameCVE-2026-10650
DescriptionA flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139178

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libwebsockets (PTS)bullseye4.0.20-2vulnerable
bullseye (security)4.0.20-2+deb11u1vulnerable
bookworm4.1.6-3vulnerable
trixie4.3.5-1+deb13u1vulnerable
forky, sid4.3.5-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libwebsocketssource(unstable)4.3.5-51139178

Notes

[trixie] - libwebsockets <no-dsa> (Minor issue)
[bookworm] - libwebsockets <no-dsa> (Minor issue)
[bullseye] - libwebsockets <postponed> (Minor issue)
https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc
https://libwebsockets.org/git/libwebsockets/commit?id=3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
Search for package or bug name: Reporting problems