#1139178 libwebsockets: CVE-2026-10650

Package:
src:libwebsockets
Source:
src:libwebsockets
Submitter:
Salvatore Bonaccorso
Date:
2026-06-07 07:07:01 UTC
Severity:
normal
Tags:
#1139178#5
Date:
2026-06-06 19:28:00 UTC
From:
To:
Hi,

The following vulnerability was published for libwebsockets.

CVE-2026-10650[0]:
| A flaw has been found in warmcat libwebsockets up to 4.5.8. This
| issue affects the function lws_ssh_parse_plaintext of the file
| plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol
| Handler. Executing a manipulation of the argument msg_len can lead
| to resource consumption. The attack may be launched remotely. The
| exploit has been published and may be used. This patch is called
| 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied
| to remediate this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10650
https://www.cve.org/CVERecord?id=CVE-2026-10650
[1] https://libwebsockets.org/git/libwebsockets/commit?id=3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1139178#10
Date:
2026-06-07 07:04:53 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libwebsockets, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139178@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated libwebsockets package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 07 Jun 2026 01:17:52 +0200
Source: libwebsockets
Architecture: source
Version: 4.3.5-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1139178
Changes:
 libwebsockets (4.3.5-5) unstable; urgency=high
 .
   * Backport upstream security fix for CVE-2026-10650: resource consumption
     in the lws_ssh_parse_plaintext() function (closes: #1139178).
Checksums-Sha1:
 c331444d90fe87291056736090c109f49ba05691 2547 libwebsockets_4.3.5-5.dsc
 9ce579b1845d7feed6c9967f50698de09baecec6 24588 libwebsockets_4.3.5-5.debian.tar.xz
Checksums-Sha256:
 5d806a726334d48c2b1a1618bd39067ced28266f217c036eb04cf935dc94e619 2547 libwebsockets_4.3.5-5.dsc
 d2da8b60070e08572325601eaa0e83a45db5fe19a72ea21e144d232b41e5104d 24588 libwebsockets_4.3.5-5.debian.tar.xz
Files:
 3c76cf6e7cbd634021f44b38f2bd67e6 2547 libs optional libwebsockets_4.3.5-5.dsc
 5beb5672a39885ca5f8f3962813eaded 24588 libs optional libwebsockets_4.3.5-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmolE/cACgkQ3OMQ54ZM
yL+QIA/+JMMs7449xuOLFDe9Pn0RqXnLqNv9pUSmo4+DzOv9Tjp5DG6JMskWwFL7
i8TIef1sr/2bQKt059DSMYkX03Wxb4i6vJgttDZp2+4eqxg7tO1mofUhn3BGLu0j
EHlHf7Tci3xOR66H+dIkM5EpbY1PsGN49/aKlA7OcYVfIuDYCSrCa9gHu4OzMwK5
+FYHWWVjm40FocQpDunURUScIhHwBYLA6FqdWkYn9YasdwKo8U/1T1mLkzSaDLaj
LJs1BmOEErhImwCIsJgNnVL0/kR6+ru/lPp2HmzZwvRQNd261wP443ZR/3vPCOnS
TSvqOPfS4x7agA4Ts8qrizhsoRkryAVPO037ol1+wH9sQaSZ/UpL73W3slTyY+Gf
+wnN9gY868NAoci+SnWeCapG+y8AqHNfnH/s2zSryJF0PeeWeKP8VfG6hXyLM5wU
zLqNOhqC7W2edis9nrjIRVrT2RJE58ggPNRtj06jCz5iesXWUJjbOmq9ycEvpHje
+j6eNVKS8aZPtTippfsQW3IUdeCI2AjOxRehbllJq9JRuQeNJfPxxd1uLwKdJeMk
tr4XRQtaF247EfNrBWOA3d4WxsfhEgkupYt0sE9u97S/xv4KR5PFSnhJY8Vr1QbL
JyC3+goivHLu3k5v2VaVjdjjgJXmayXGL6yNeAuhTOx666mQiOs=
=Fon9
-----END PGP SIGNATURE-----