CVE-2025-11234

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions QEMU (affected versions not specified)

Description A flaw exists in QEMU where freeing the QIOChannelWebsock object during a handshake process results in a GSource leak. This leak can cause a use-after-free condition when the callback attempts to use the channel. A malicious client with network access to the VNC WebSocket port can exploit this to cause a denial of service during the WebSocket handshake, before VNC client authentication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2026:1831

ALSA-2026:18772

ALSA-2026:5578

AZL-68193

AZL-68202

BDU:2025-16063

CVE-2025-11234

OESA-2026-1263

OESA-2026-1351

OESA-2026-1353

OESA-2026-1354

OESA-2026-1355

OESA-2026-1848

OPENSUSE-SU-2025:15821-1

OPENSUSE-SU-2025:20171-1

RHSA-2025:23228

RHSA-2026:1831

RHSA-2026:18772

RHSA-2026:3077

RHSA-2026:3165

RHSA-2026:5578

SUSE-SU-2025:21230-1

SUSE-SU-2025:21233-1

SUSE-SU-2026:0022-1

SUSE-SU-2026:0039-1

SUSE-SU-2026:0288-1

SUSE-SU-2026:0356-1

SUSE-SU-2026:0436-1

SUSE-SU-2026:20008-1

SUSE-SU-2026:20038-1

USN-8073-1

Affected Products

Debian

Linuxmint

Qemu

Rocky Linux

Ubuntu

CVE-2025-11234

Weakness Enumeration

Related Identifiers

Affected Products

References · 101