CVE-2026-10650
Description
A vulnerability in libwebsockets allows remote attackers to cause a denial-of-service by triggering unbounded memory allocation via crafted SSH messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in libwebsockets allows remote attackers to cause a denial-of-service by triggering unbounded memory allocation via crafted SSH messages.
Vulnerability
A flaw exists in the lws_ssh_parse_plaintext function within plugins/protocol_lws_ssh_base/sshd.c in warmcat libwebsockets up to version 4.5.8. The function improperly handles the msg_len argument, which is derived from attacker-controlled bytes without an adequate upper-bound check. This vulnerability is present in the SSH Protocol Handler component.
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted SSH messages. The attacker manipulates the msg_len field to be excessively large. When the message ID is SSH_MSG_KEXINIT, this large msg_len value is directly used to allocate memory via sshd_zalloc(), bypassing any intended size restrictions [2].
Impact
Successful exploitation leads to resource consumption, specifically a denial-of-service (DoS) condition. The attacker can trigger large heap allocations, approximately 128 MB or up to 4 GB per connection. Repeated exploitation can exhaust system memory, causing the server process to be terminated by the Out-Of-Memory (OOM) killer [2].
Mitigation
A patch has been applied to address this issue, available in commit 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 [4]. The fixed version is expected to be 4.5.9 or later. Users are advised to update to a patched version as soon as it becomes available. No specific workarounds are disclosed in the available references.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.5.8
Patches
13f9f0c6ecaf0ssh: plugin: add limit to resource exhaustion
1 file changed · +8 −1
plugins/protocol_lws_ssh_base/sshd.c+8 −1 modified@@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> + * Copyright (C) 2010 - 2026 Andy Green <andy@warmcat.com> * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to @@ -28,6 +28,8 @@ #include <string.h> #include <stdlib.h> +#define LWS_SSH_MAX_PACKET_SIZE (256 * 1024) + void *sshd_zalloc(size_t s) { void *p = malloc(s); @@ -592,6 +594,11 @@ lws_ssh_parse_plaintext(struct per_session_data__sshd *pss, uint8_t *p, size_t l pss->parser_state = SSHS_MSG_PADDING; pss->ctr = 0; pss->pos = 4; + + if (pss->msg_len > LWS_SSH_MAX_PACKET_SIZE) { + lwsl_notice("msg size %u exceeds maximum\n", pss->msg_len); + goto bail; + } if (pss->msg_len < 2 + 4) { lwsl_notice("illegal msg size\n"); goto bail;
Vulnerability mechanics
Root cause
"The function lws_ssh_parse_plaintext does not validate the msg_len argument, allowing for excessively large allocations."
Attack vector
An unauthenticated remote attacker can trigger this vulnerability by sending specially crafted SSH packets. The attacker manipulates the `msg_len` field to be excessively large, which is then used directly in a memory allocation without an upper-bound check [ref_id=1]. This can lead to resource exhaustion on the server.
Affected code
The vulnerability resides in the `lws_ssh_parse_plaintext` function within the file `plugins/protocol_lws_ssh_base/sshd.c`. Specifically, the code assembles `pss->msg_len` from attacker-controlled bytes without an upper-bound check [ref_id=1]. The patch modifies this file by adding a size check before proceeding with the allocation [patch_id=4547982].
What the fix does
The patch introduces a maximum packet size constant, `LWS_SSH_MAX_PACKET_SIZE`, and adds a check within `lws_ssh_parse_plaintext` to ensure that `pss->msg_len` does not exceed this limit [patch_id=4547982]. If the message length is too large, the function now exits gracefully, preventing the unbounded memory allocation that could lead to resource exhaustion.
Preconditions
- authThe attacker does not require any authentication.
- networkThe vulnerability can be exploited over the network.
- inputThe attacker must send crafted SSH packets with a manipulated msg_len argument.
Reproduction
## CVE-2026-10650: libwebsockets SSHD OOM
This PoC exploits a vulnerability in libwebsockets' SSH protocol handler (sshd.c) that allows for remote code execution via an unbounded allocation. The vulnerability is triggered by sending a crafted SSH packet with an excessively large `msg_len` field, leading to a server-side Out-Of-Memory (OOM) condition.
### Steps to Reproduce:
1. **Clone the repository:** ```bash git clone https://github.com/biniamf/pocs.git cd pocs/libwebsockets_sshd-parse-ic-unbounded-alloc ```
2. **Build the PoC:** ```bash make ```
3. **Run the PoC:** The PoC will attempt to connect to a libwebsockets server and send a malicious packet. Observe the server logs for resource exhaustion messages or OOM killer events. ```bash ./poc <target_ip> <target_port> ```
**Note:** This PoC is intended for security research and testing purposes only. Ensure you have explicit permission before running it against any system.
[ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/poc_sshd_unbounded_alloc.pynvd
- github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-allocnvd
- github.com/warmcat/libwebsockets/commit/3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498nvd
- vuldb.com/cve/CVE-2026-10650nvd
- vuldb.com/submit/830261nvd
- vuldb.com/vuln/367955nvd
- vuldb.com/vuln/367955/ctinvd
News mentions
0No linked articles in our index yet.