CVE-2025-11677

Published: October 23, 2025Last modified: June 22, 2026

Description

Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve denial of service.

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSlibwebsocketsFixed (4.3.10-r0)
25 LTSlibwebsocketsFixed (4.3.10-r0)
StreamlibwebsocketsFixed (4.3.10-r0)

References

ON THIS PAGE