Description
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
Problem types
Product status
2.6.0 (semver) before 10.1.2
18:10.0.0-14.el10_1.5 (rpm) before *
8100020251120003312.489197e6 (rpm) before *
8100020251202222937.489197e6 (rpm) before *
17:10.1.0-17.el9_8 (rpm) before *
17:6.2.0-11.el9_0.10 (rpm) before *
17:7.2.0-14.el9_2.24 (rpm) before *
17:8.2.0-11.el9_4.18 (rpm) before *
17:8.2.0-11.el9_4.19 (rpm) before *
416.94.202601071926-0 (rpm) before *
417.94.202601120213-0 (rpm) before *
418.94.202601071817-0 (rpm) before *
Timeline
| 2025-09-30: | Reported to Red Hat. |
| 2025-09-30: | Made public. |
Credits
Red Hat would like to thank Grant Millar (Cylo) for reporting this issue.
References
access.redhat.com/errata/RHSA-2025:23228 (RHSA-2025:23228)
access.redhat.com/errata/RHSA-2026:0326 (RHSA-2026:0326)
access.redhat.com/errata/RHSA-2026:0332 (RHSA-2026:0332)
access.redhat.com/errata/RHSA-2026:0702 (RHSA-2026:0702)
access.redhat.com/errata/RHSA-2026:1831 (RHSA-2026:1831)
access.redhat.com/errata/RHSA-2026:18772 (RHSA-2026:18772)
access.redhat.com/errata/RHSA-2026:22147 (RHSA-2026:22147)
access.redhat.com/errata/RHSA-2026:3077 (RHSA-2026:3077)
access.redhat.com/errata/RHSA-2026:3165 (RHSA-2026:3165)
access.redhat.com/errata/RHSA-2026:5578 (RHSA-2026:5578)
access.redhat.com/security/cve/CVE-2025-11234
bugzilla.redhat.com/show_bug.cgi?id=2401209 (RHBZ#2401209)