CVE-2025-11677
Published: October 23, 2025Last modified: June 22, 2026
Description
Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve denial of service.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | libwebsockets | Fixed (4.3.10-r0) |
| 25 LTS | libwebsockets | Fixed (4.3.10-r0) | |
| Stream | libwebsockets | Fixed (4.3.10-r0) |