Vulnerability CVE-2025-11234: Information

Description

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-11234
Published: Oct. 3, 2025
Modified: Feb. 24, 2026
Error type identifier: CWE-416

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
qemusisyphus10.1.4-alt110.1.4-alt1ALT-PU-2026-3760-1409502Fixed
qemusisyphus_riscv6410.1.4-alt110.1.4-alt1ALT-PU-2026-3838-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/errata/RHSA-2025:23228
    https://access.redhat.com/errata/RHSA-2026:0326
      https://access.redhat.com/errata/RHSA-2026:0332
        https://access.redhat.com/errata/RHSA-2026:0702
          https://access.redhat.com/errata/RHSA-2026:1831
            https://access.redhat.com/errata/RHSA-2026:3077
              https://access.redhat.com/errata/RHSA-2026:3165
                https://access.redhat.com/security/cve/CVE-2025-11234
                  https://bugzilla.redhat.com/show_bug.cgi?id=2401209
                    BDU:2025-16063
                      VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
                      Version: v26.2.2
                      Back to top