Libwebsockets
Monthly
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.