warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption_CVE-2026-10650

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Description

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Basic Information

ID CVE-2026-10650

Source VulDB

Published Jun 2, 2026 at 21:15

Affected Product

Vendor warmcat

Product libwebsockets

Version 4.5.0

Affected Versions warmcat libwebsockets 4.5.0
warmcat libwebsockets 4.5.1
warmcat libwebsockets 4.5.2
warmcat libwebsockets 4.5.3
warmcat libwebsockets 4.5.4
warmcat libwebsockets 4.5.5
warmcat libwebsockets 4.5.6
warmcat libwebsockets 4.5.7
warmcat libwebsockets 4.5.8

CWE Classification

CWE-400 CWE-404

References

{
    "lastseen": "",
    "description": "A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.",
    "published": "2026-06-02T21:15:10.566Z",
    "modified": "2026-06-02T21:15:10.566Z",
    "type": "cve",
    "title": "warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/367955\nhttps://vuldb.com/vuln/367955/cti\nhttps://vuldb.com/cve/CVE-2026-10650\nhttps://vuldb.com/submit/830261\nhttps://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc\nhttps://github.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/poc_sshd_unbounded_alloc.py\nhttps://github.com/warmcat/libwebsockets/commit/3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498\nhttps://github.com/warmcat/libwebsockets/",
    "id": "CVE-2026-10650",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400",
        "CWE-404"
    ],
    "cvelist": null,
    "sourceData": "warmcat libwebsockets 4.5.0\nwarmcat libwebsockets 4.5.1\nwarmcat libwebsockets 4.5.2\nwarmcat libwebsockets 4.5.3\nwarmcat libwebsockets 4.5.4\nwarmcat libwebsockets 4.5.5\nwarmcat libwebsockets 4.5.6\nwarmcat libwebsockets 4.5.7\nwarmcat libwebsockets 4.5.8",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "libwebsockets",
    "version": "4.5.0",
    "vendor": "warmcat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}