CVE-2026-10650
warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption
A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
warmcat · libwebsocketspublic PoCs found — 2
cve_referencegithub.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/poc_sshd_unbounded_alloc.pyunverifiedcve_referencegithub.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-allocunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/poc_sshd_unbounded_alloc.pyhttps://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-allochttps://github.com/warmcat/libwebsockets/https://github.com/warmcat/libwebsockets/commit/3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498https://vuldb.com/cve/CVE-2026-10650https://vuldb.com/submit/830261https://vuldb.com/vuln/367955https://vuldb.com/vuln/367955/cti