PatchSiren cyber security CVE debrief
CVE-2025-11234 Red Hat CVE debrief
A use-after-free vulnerability exists in QEMU's QIOChannelWebsock implementation. The flaw occurs when a QIOChannelWebsock object is freed while awaiting WebSocket handshake completion, causing a GSource to be leaked. This leaked GSource may later fire its callback, triggering use-after-free access to the already-freed channel. A malicious client with network connectivity to the VNC WebSocket port can exploit this condition during the WebSocket handshake phase—before VNC authentication occurs—to cause denial of service. The vulnerability is remotely exploitable without authentication and requires no user interaction. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-03
- Original CVE updated
- 2026-05-19
- Advisory published
- 2025-10-03
- Advisory updated
- 2026-05-19
Who should care
Organizations running QEMU-based virtualization infrastructure with VNC WebSocket enabled, particularly those exposing VNC services to network-accessible interfaces. Cloud providers, hosting providers, and enterprises with virtual desktop infrastructure (VDI) deployments using QEMU/KVM with browser-based VNC clients via WebSocket should prioritize assessment and patching.
Technical summary
The vulnerability resides in QEMU's QIOChannelWebsock component, which handles WebSocket connections for VNC. When a WebSocket handshake is in progress and the QIOChannelWebsock object is freed, the associated GSource (GLib event source) is not properly cleaned up. This leads to a use-after-free condition when the leaked GSource callback later executes, referencing the freed channel object. The attack surface is the VNC WebSocket port, and exploitation occurs prior to VNC authentication, making this a pre-auth remote denial of service vector. The CVSS 3.1 score of 7.5 (HIGH) reflects the network accessibility and high availability impact with low complexity requirements.
Defensive priority
high
Recommended defensive actions
- Apply vendor-provided security updates from Red Hat or your Linux distribution's security repository. RHSA advisories indicate patches are available for multiple RHEL versions.
- If immediate patching is not feasible, restrict network access to VNC WebSocket ports (typically 5900+ or configured WebSocket ports) to trusted administrative hosts only.
- Monitor for unexpected QEMU process crashes or VNC WebSocket connection terminations, which may indicate exploitation attempts.
- Review QEMU configurations to ensure VNC WebSocket interfaces are not exposed to untrusted networks unnecessarily.
- Validate that WebSocket proxy or load balancer configurations do not inadvertently expose VNC endpoints to broader network ranges than intended.
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CWE-416 (Use After Free) classification confirmed by Red Hat source. Multiple Red Hat Security Advisories (RHSA-2025:23228, RHSA-2026:0326, RHSA-2026:0332, RHSA-2026:0702, RHSA-2026:1831, RHSA-2026:18772, RHSA-2026:3077, RHSA-2026:3165, RHSA-2026:5578) indicate active remediation across Red Hat Enterprise Linux distributions. Bugzilla reference 2401209 provides additional tracking. NVD vulnerability status marked as 'Deferred' as of 2026-05-19 modification date.
Official resources
2025-10-03