CVE-2026-10650

Summary

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Affected Software

VendorProductVersion RangeStatus
warmcatlibwebsockets4.5.0affected
warmcatlibwebsockets4.5.1affected
warmcatlibwebsockets4.5.2affected
warmcatlibwebsockets4.5.3affected
warmcatlibwebsockets4.5.4affected
warmcatlibwebsockets4.5.5affected
warmcatlibwebsockets4.5.6affected
warmcatlibwebsockets4.5.7affected
warmcatlibwebsockets4.5.8affected

Weaknesses

  • CWE-400: Resource Consumption
  • CWE-404: Denial of Service

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References