CVE-2026-10650

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-10650
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-10650.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-10650
Downstream
Published
2026-06-02T21:15:10.566Z
Modified
2026-06-18T03:57:13.538420967Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption
Details

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lwssshparseplaintext of the file plugins/protocollwssshbase/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Database specific 
{
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-400",
        "CWE-404"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10650.json"
}
References

Affected packages

Git / github.com/warmcat/libwebsockets

Affected ranges

Type
GIT
Repo
https://github.com/warmcat/libwebsockets
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
Database specific 
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.0"
        },
        {
            "last_affected": "4.5.1"
        },
        {
            "last_affected": "4.5.2"
        },
        {
            "last_affected": "4.5.3"
        },
        {
            "last_affected": "4.5.4"
        },
        {
            "last_affected": "4.5.5"
        },
        {
            "last_affected": "4.5.6"
        },
        {
            "last_affected": "4.5.7"
        },
        {
            "last_affected": "4.5.8"
        }
    ]
}

Affected versions

Other
deflate-stream-support
master-test-2015-11-06-1
master-test-2015-11-19-1
support-chrome-20-firefox-12
support-protocol-v7
support-protocol-v8-chrome-15-firefox-6
valgrind-clean
release-0.*
release-0.1
release-0.2
release-0.3
release-0.4
release-0.5
release-0.6
v1.*
v1.0-chrome25-firefox17
v1.1-chrome26-firefox18
v1.2-chrome26-firefox18
v1.21-chrome26-firefox18
v1.22-chrome26-firefox18
v1.23-chrome32-firefox24
v1.3-chrome37-firefox30
v1.4-chrome43-firefox-36
v1.5-chrome47-firefox41
v1.6.0-chrome48-firefox42
v1.7.0
v2.*
v2.0.0
v2.1-pre3
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v3.*
v3.0.0
v3.1.0
v4.*
v4.0.0
v4.1.0
v4.2-rc1
v4.2.0
v4.3.0
v4.4.0
v4.5.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-10650.json"