CVE-2025-11234

Vulnerability

Description

A flaw was found in QEMU's VNC WebSocket channel handling. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This is a race condition or improper cleanup in the WebSocket handshake code path.

Exploitation

A malicious client with network access to the VNC WebSocket port can abuse this vulnerability by initiating a WebSocket handshake and then causing the channel to be freed before the handshake completes. This requires network access to the VNC port (typically 5900 or a custom port) but does not require authentication. The attack is limited to the handshake phase, prior to VNC client authentication.

Impact

Successful exploitation leads to a denial of service (DoS) condition. The attacker can crash the QEMU process or cause it to become unresponsive, impacting the availability of the virtual machine or host. The CVSS v3 base score of 7.5 (High) reflects the high availability impact without requiring authentication or user interaction.

Mitigation

Red Hat has released security updates for multiple Enterprise Linux versions, including 8 and 9, as referenced in [1], [2], [3], and [4]. Users should apply the updated qemu-kvm packages to remediate this vulnerability.