{"id":"USN-8024-1","summary":"libwebsockets vulnerabilities","details":"Raffaele Bova discovered that Libwebsockets incorrectly handled memory\nwhen the upgrade header is not valid in the WebSocket server. An\nattacker could possibly use this issue to cause a denial of service.\n(CVE-2025-11677)\n\nRaffaele Bova discovered that Libwebsockets did not properly check the\nsize of the destination buffer in the async-dns component. An attacker\ncould possibly use this issue to cause applications to crash, leading to a\ndenial of service, or possibly execute arbitrary code. This issue only\naffected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-11678)","modified":"2026-04-27T18:36:50.452678Z","published":"2026-02-11T12:58:26Z","related":["UBUNTU-CVE-2025-11677","UBUNTU-CVE-2025-11678"],"upstream":["CVE-2025-11677","CVE-2025-11678","UBUNTU-CVE-2025-11677","UBUNTU-CVE-2025-11678"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8024-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-11677"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-11678"}],"affected":[{"package":{"name":"libwebsockets","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/libwebsockets@3.2.1-3ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.1-3ubuntu0.1~esm1"}]}],"versions":["2.0.3-3build1","3.2.1-3"],"ecosystem_specific":{"binaries":[{"binary_name":"libwebsockets-test-server","binary_version":"3.2.1-3ubuntu0.1~esm1"},{"binary_name":"libwebsockets-test-server-common","binary_version":"3.2.1-3ubuntu0.1~esm1"},{"binary_name":"libwebsockets15","binary_version":"3.2.1-3ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-11677"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8024-1.json"}},{"package":{"name":"libwebsockets","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libwebsockets@4.0.20-2ubuntu1.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.20-2ubuntu1.1"}]}],"versions":["4.0.20-2","4.0.20-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libwebsockets-test-server","binary_version":"4.0.20-2ubuntu1.1"},{"binary_name":"libwebsockets-test-server-common","binary_version":"4.0.20-2ubuntu1.1"},{"binary_name":"libwebsockets16","binary_version":"4.0.20-2ubuntu1.1"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-11677"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-11678"}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8024-1.json"}},{"package":{"name":"libwebsockets","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/libwebsockets@4.3.3-1.1ubuntu0.1~esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.3-1.1ubuntu0.1~esm1"}]}],"versions":["4.3.2-4","4.3.3-1","4.3.3-1.1build1","4.3.3-1.1build2","4.3.3-1.1build3"],"ecosystem_specific":{"binaries":[{"binary_name":"libwebsockets-evlib-ev","binary_version":"4.3.3-1.1ubuntu0.1~esm1"},{"binary_name":"libwebsockets-evlib-glib","binary_version":"4.3.3-1.1ubuntu0.1~esm1"},{"binary_name":"libwebsockets-evlib-uv","binary_version":"4.3.3-1.1ubuntu0.1~esm1"},{"binary_name":"libwebsockets-test-server","binary_version":"4.3.3-1.1ubuntu0.1~esm1"},{"binary_name":"libwebsockets-test-server-common","binary_version":"4.3.3-1.1ubuntu0.1~esm1"},{"binary_name":"libwebsockets19t64","binary_version":"4.3.3-1.1ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-11677"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-11678"}],"ecosystem":"Ubuntu:Pro:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8024-1.json"}}],"schema_version":"1.7.5"}