CVE-2025-11234 PUBLISHED

Qemu-kvm: vnc websocket handshake use-after-free

Assigner: redhat
Reserved: 01.10.2025 Published: 03.10.2025 Updated: 24.03.2026

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Package Collection https://gitlab.com/qemu-project/qemu
Package Name qemu
Versions Default: unaffected
  • affected from 2.6.0 to 10.1.2 (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
  • unaffected from 18:10.0.0-14.el10_1.5 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
  • unaffected from 8100020251120003312.489197e6 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
  • unaffected from 8100020251202222937.489197e6 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Versions Default: affected
  • unaffected from 17:7.2.0-14.el9_2.24 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 9.4 Extended Update Support
Versions Default: affected
  • unaffected from 17:8.2.0-11.el9_4.18 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 9.4 Extended Update Support
Versions Default: affected
  • unaffected from 17:8.2.0-11.el9_4.19 to * (excl.)
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4.16
Versions Default: affected
  • unaffected from 416.94.202601071926-0 to * (excl.)
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4.17
Versions Default: affected
  • unaffected from 417.94.202601120213-0 to * (excl.)
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4.18
Versions Default: affected
  • unaffected from 418.94.202601071817-0 to * (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected

Credits

  • Red Hat would like to thank Grant Millar (Cylo) for reporting this issue.

References

Problem Types

  • Use After Free CWE