Listen to this Post

Introduction
Libwebsockets (LWS) is a lightweight, pure C library that provides client and server implementations for HTTP/1, HTTP/2, WebSockets, MQTT, and other protocols in a security-minded, configurable, and scalable way. Recently, security researchers have uncovered a concerning wave of memory corruption vulnerabilities across multiple components of this widely deployed library. Most critically, a pre-authentication remote heap overflow in the SSH protocol handler allows unauthenticated attackers to exhaust system memory or potentially execute arbitrary code, while additional stack-based buffer overflows and use-after-free flaws in the async-DNS and WebSocket components compound the risk. These vulnerabilities affect versions from 4.0.20 through 4.5.8, making countless embedded devices, IoT platforms, and high-performance servers vulnerable to remote compromise.
Learning Objectives
- Understand the technical mechanics of pre-auth heap overflow, stack-based buffer overflow, and use-after-free vulnerabilities in libwebsockets
- Learn how to identify vulnerable libwebsockets deployments across Linux and Windows environments
- Master the step-by-step process for detecting, validating, and remediating these memory corruption flaws
- Gain hands-on experience with PoC exploitation tools and AddressSanitizer-based testing harnesses
- Implement effective mitigation strategies including version upgrades, compilation flag adjustments, and network-layer protections
You Should Know
- The Anatomy of the Pre-Auth Remote Heap Overflow (CVE-2026-10650)
The most severe vulnerability discovered in recent libwebsockets security research is a pre-authentication remote heap overflow affecting the SSH protocol handler. The flaw resides in the `lws_ssh_parse_plaintext()` function within plugins/protocol_lws_ssh_base/sshd.c. When msg_id == SSH_MSG_KEXINIT (20), the value is passed directly to `sshd_zalloc()` without any upper-bound validation on msg_len.
What this means in practice: An unauthenticated remote attacker can send a specially crafted SSH message with an oversized `msg_len` parameter. The function then attempts to allocate memory of that size—potentially up to ~128 MB per connection, or even ~4 GB in certain configurations—exhausting system memory through repeated connections. This leads to a denial-of-service condition where the server becomes unresponsive or crashes entirely.
How to test for this vulnerability:
Step 1: Identify the libwebsockets version dpkg -l | grep libwebsockets Debian/Ubuntu rpm -qa | grep libwebsockets RHEL/CentOS pkg_info | grep libwebsockets FreeBSD Step 2: Check if the SSH protocol handler is compiled in strings /usr/lib/x86_64-linux-gnu/libwebsockets.so | grep -i sshd Step 3: Run the public PoC (requires the server running libwebsockets-test-sshd) Start the test server with debug output ./bin/libwebsockets-test-sshd -d 7 Execute the PoC script against the target python3 poc_sshd_unbounded_alloc.py [bash] [bash]
The PoC script, available in public repositories, demonstrates how a single malformed packet can trigger massive heap allocations.
Windows-specific considerations: CVE-2025-1866 affects libwebsockets before version 4.3.4 when built specifically for the Win32 platform. The vulnerable code is not executed by default unless `LWS_WITHOUT_EXTENSIONS` (default ON) is manually set to OFF in CMake, making this a conditional but still critical risk for Windows deployments.
2. Stack-Based Buffer Overflow in Async-DNS (CVE-2025-11678)
Discovered by Raffaele Bova of Nozomi Networks Lab, CVE-2025-11678 is a stack-based buffer overflow in the `lws_adns_parse_label()` function within lib/system/async-dns/async-dns-parse.c. This vulnerability is triggered when the `LWS_WITH_SYS_ASYNC_DNS` flag is enabled during compilation.
Attack scenario: An attacker who can sniff DNS requests made by the victim (e.g., by being on the same wireless network) can forge a DNS response packet with a matching ID containing a label longer than the maximum allowed length. The `lws_adns_parse_label()` function iteratively parses the label but fails to correctly track the total number of bytes written to the destination buffer. While each substring is checked against the destination size (dl argument), previous reads are not accounted for, allowing a label of arbitrary size to be copied onto the stack.
Impact: Successful exploitation can lead to arbitrary code execution on the target system, with CVSS v3.1 base score of 7.5 (High). The vulnerability affects libwebsockets versions 4.0.20-2 through 4.3.5.
Testing harness setup:
Clone the libwebsockets repository git clone https://github.com/warmcat/libwebsockets.git cd libwebsockets Build with AddressSanitizer and async-DNS enabled cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 -DCMAKE_C_FLAGS="-fsanitize=address" . make -C build lws-test-async-dns Run the test harness with the PoC payload ./build/bin/lws-test-async-dns < poc_stackbof
The AddressSanitizer will report the stack buffer overflow, confirming the vulnerability.
3. Use-After-Free in WebSocket Handshake (CVE-2025-11677)
CVE-2025-11677 is a use-after-free vulnerability in the WebSocket server implementation. The flaw exists within the `lws_handshake_server()` function in lib/roles/http/server/server.c. In specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, an attacker can trigger a denial-of-service condition.
Technical detail: During the WebSocket upgrade handshake, memory is freed prematurely while still being referenced. When the callback function executes, it attempts to access already-freed memory, causing a crash. While primarily a DoS vulnerability, use-after-free flaws can sometimes be escalated to code execution depending on heap layout and exploitation techniques.
Affected versions: Debian bullseye (4.0.20-2) through sid, with fixes available in version 4.0.20-2+deb11u1 and later.
Detection commands:
Check if the vulnerable callback pattern exists in your code grep -r "LWS_CALLBACK_HTTP_CONFIRM_UPGRADE" /path/to/source/ Monitor for crashes in WebSocket handshake journalctl -u your-service | grep -i "websocket.handshake" Check if the fix is applied apt-cache policy libwebsockets Debian/Ubuntu
4. Heap Overflow in PNG Parsing (CVE-2025-11680)
CVE-2025-11680 is an out-of-bounds write in the `unfilter_scanline` function when the `LWS_WITH_UPNG` flag is enabled during compilation. The vulnerability is triggered when a user visits an attacker-controlled website containing a crafted PNG file with a large width value. This causes an integer overflow that determines the size of a heap allocation.
Attack vector: The attacker crafts a PNG file where the width value causes `width bypp` to overflow, resulting in `bypl` (bytes per line) being set to 0. The subsequent heap allocation is undersized, and the write operation overflows the buffer, potentially causing a crash or enabling code execution.
Affected versions: libwebsockets from version 4.0.20 through 4.3.6 and 4.4.2. The vulnerable code was introduced in v4.4.0 and fixed in commit 2b715249f39291c86443b969a1088d59b6a89b78.
Mitigation options:
- Upgrade to version 4.3.7 or later
- Disable `LWS_WITH_UPNG` during compilation if PNG support is not required
- Backport the fix commit if an immediate upgrade is not possible
Check if UPNG is enabled in your build grep -r "LWS_WITH_UPNG" /etc/libwebsockets/ Build configuration strings /usr/lib/x86_64-linux-gnu/libwebsockets.so | grep -i upng Rebuild without UPNG support cmake -DLWS_WITH_UPNG=OFF . make && sudo make install
5. Comprehensive Remediation and Hardening Strategy
Priority 1: Upgrade to patched versions
| Distribution | Fixed Version |
|–||
| Debian bullseye | 4.0.20-2+deb11u1 |
| Debian bookworm | 4.1.6-3 |
| Debian trixie | 4.3.5-1+deb13u1 |
| Ubuntu 22.04 LTS | 4.0.20-2ubuntu1.1 |
| Ubuntu 24.04 LTS | 4.3.3-1.1ubuntu0.1~esm1 |
Step-by-step upgrade process:
Debian/Ubuntu sudo apt update sudo apt upgrade libwebsockets RHEL/CentOS/Fedora sudo dnf update libwebsockets Verify the upgrade ldconfig -p | grep libwebsockets dpkg -l | grep libwebsockets | grep -E "(4.0.20-2+deb11u1|4.1.6-3|4.3.5-1)"
Priority 2: Compilation flag hardening
If upgrading is not immediately possible, disable vulnerable features:
Disable UPNG (heap overflow in PNG parsing) cmake -DLWS_WITH_UPNG=OFF . Disable async-DNS (stack buffer overflow) cmake -DLWS_WITH_SYS_ASYNC_DNS=OFF . For Windows builds, ensure LWS_WITHOUT_EXTENSIONS remains ON cmake -DLWS_WITHOUT_EXTENSIONS=ON .
Priority 3: Network-layer protections
- Deploy Web Application Firewalls (WAF) to filter malformed WebSocket and SSH packets
- Implement rate limiting on connection attempts to mitigate resource exhaustion
- Use network segmentation to limit exposure of libwebsockets services to trusted networks only
- Monitor for anomalous memory allocation patterns using system-level tools:
Monitor memory usage of libwebsockets processes watch -1 1 'ps aux | grep libwebsockets | grep -v grep' Monitor for crash loops journalctl -u your-service -f | grep -i "segfault|core dumped" Set per-process memory limits (systemd) Add to service unit file: [bash] MemoryMax=512M MemoryHigh=384M
Priority 4: Security monitoring and detection
Implement detection rules for exploitation attempts:
Detect oversized SSH messages (potential heap overflow exploit)
tcpdump -i any -s 0 -A 'port 22' | grep -E "SSH_MSG_KEXINIT|msg_len"
Detect malformed DNS responses (potential stack overflow exploit)
tcpdump -i any -s 0 -A 'udp port 53' | grep -i "label.longer"
Monitor AddressSanitizer reports in test environments
find /var/log -1ame "asan" -exec grep -H "ERROR: AddressSanitizer" {} \;
What Undercode Say
Key Takeaway 1: Libwebsockets is under active attack. The concentration of vulnerabilities discovered in 2025-2026—including pre-auth heap overflow (CVE-2026-10650), stack buffer overflow (CVE-2025-11678), use-after-free (CVE-2025-11677), and heap overflow in PNG parsing (CVE-2025-11680)—indicates that security researchers are systematically dissecting this library. Organizations should prioritize patching as these flaws are likely to be weaponized in the coming months.
Key Takeaway 2: Pre-auth vulnerabilities are the most critical. The ability to trigger memory corruption without any authentication makes CVE-2026-10650 and CVE-2025-11678 particularly dangerous. Attackers can target these flaws from anywhere on the network, making them ideal for wormable exploits. The SSH protocol handler flaw is especially concerning given SSH’s ubiquity in infrastructure management.
Key Takeaway 3: Default configurations are not always safe. While some vulnerabilities require specific compilation flags (LWS_WITH_UPNG, LWS_WITH_SYS_ASYNC_DNS), these features are often enabled in production builds for functionality. Organizations must audit their build configurations and disable unnecessary features as a defense-in-depth measure.
Key Takeaway 4: The Windows attack surface cannot be ignored. CVE-2025-1866 specifically affects Windows builds, reminding us that cross-platform libraries introduce platform-specific vulnerabilities. Security teams managing mixed environments must verify patches across all operating systems.
Key Takeaway 5: Testing harnesses enable proactive discovery. The availability of AddressSanitizer-based test harnesses for these vulnerabilities allows security teams to validate their own deployments. Organizations should integrate these tests into their CI/CD pipelines to catch regressions before they reach production.
The cumulative effect of these vulnerabilities paints a concerning picture: libwebsockets, a library trusted in millions of deployments from embedded IoT to enterprise servers, has been harboring critical memory corruption flaws for years. The pre-auth nature of the most severe issues means that a single unauthenticated packet can cripple services or enable remote code execution. While patches are now available, the widespread use of libwebsockets in long-lived embedded systems suggests that many vulnerable instances will remain unpatched for years. Security teams must act decisively—upgrade immediately, audit build configurations, and implement network-layer protections to buy time for comprehensive remediation. The window between disclosure and widespread exploitation is closing rapidly.
Prediction
- -1: Expect weaponized exploits for CVE-2026-10650 and CVE-2025-11678 to appear in public exploit frameworks within 30-60 days. The availability of PoC code and the pre-auth nature of these flaws make them prime candidates for inclusion in automated attack tools.
-
-1: Embedded IoT devices running libwebsockets will remain vulnerable for years due to infrequent firmware updates. Expect botnets to incorporate these vulnerabilities for lateral movement and DDoS amplification.
-
+1: The rigorous security research attention on libwebsockets will lead to improved code quality and more robust memory safety practices in future versions. The project maintainers have demonstrated responsiveness in issuing patches.
-
-1: Organizations that fail to patch within the next 90 days face significant risk of compromise, particularly in environments where libwebsockets services are exposed to the internet or untrusted networks.
-
+1: The development of comprehensive test harnesses and AddressSanitizer integrations will enable better automated vulnerability detection, reducing the likelihood of similar flaws persisting in the codebase.
-
-1: The SSH protocol handler vulnerability (CVE-2026-10650) poses an especially severe threat given SSH’s critical role in infrastructure management. A successful exploit could lead to complete system compromise in environments where libwebsockets handles SSH connections.
-
+1: The open-source community’s rapid response to these disclosures—with fixes available across major Linux distributions within weeks—demonstrates the effectiveness of coordinated vulnerability disclosure.
▶️ Related Video (82% Match):
https://www.youtube.com/watch?v=-snID21yWSo
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Maher Azzouzi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


