NIXPKGS-2026-1848

GitHub issue published 1 week, 4 days ago

Permalink CVE-2026-10650

5.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 1 week, 4 days ago by @LeSuisse Activity log

Created suggestion 1 week, 4 days ago
@LeSuisse ignored
4 references
1 week, 4 days ago
@LeSuisse accepted 1 week, 4 days ago
@LeSuisse published on GitHub 1 week, 4 days ago

warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

References

Ignored references (4)

VDB-367955 | CTI Indicators (IOB, IOC, TTP, IOA) permissions-requiredsignature
CVE-2026-10650 | CVE Analysis and Report third-party-advisory
Submit #830261 | warmcat libwebsockets 4.5.99-v4.5.0-382-g4a63b9333 Uncontrolled Memory Allocation third-party-advisory
https://github.com/warmcat/libwebsockets/ product

Affected products

libwebsockets

==4.5.6
==4.5.2
==4.5.3
==4.5.0
==4.5.5
==4.5.1
==4.5.7
==4.5.8
==4.5.4

Matching in nixpkgs

pkgs.libwebsockets

Light, portable C library for websockets

nixos-unstable 4.4.1
- nixpkgs-unstable 4.4.1
- nixos-unstable-small 4.4.1

Package maintainers

@Mindavi Rick van Schijndel <rol3517@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1848

References

Affected products

Matching in nixpkgs

pkgs.libwebsockets

Package maintainers