MEDIUM 5.3

CVE-2026-10650: Libwebsockets SSH Handler Resource Exhaustion Vulnerability

A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-400, CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the lws_ssh_parse_plaintext function within plugins/protocol_lws_ssh_base/sshd.c in libwebsockets versions up to 4.5.8. By crafting malicious SSH protocol messages with manipulated msg_len arguments, an unauthenticated remote attacker can trigger excessive resource consumption, leading to denial of service. The flaw is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-404 (Improper Resource Validation), indicating insufficient bounds checking or validation of the message length parameter before resource allocation.

Business impact

Organizations deploying libwebsockets as an SSH server component face availability risk. A successful attack can render SSH services unresponsive, disrupting remote administration, secure file transfers, or any SSH-dependent workflows. Since no authentication is required, any internet-facing SSH implementation using the affected library is exposed. The business impact is primarily operational disruption rather than data breach, but extended downtime of administrative services can cascade into broader infrastructure issues.

Affected systems

Libwebsockets versions up to and including 4.5.8 are vulnerable if compiled with or actively using the SSH protocol handler plugin. Systems that use libwebsockets for WebSocket communication but do not enable or load the SSH protocol component are not affected. Verify your build configuration and loaded plugins. Embedded systems, IoT devices, and custom applications leveraging libwebsockets for SSH services are at highest risk.

Exploitability

Exploitability is straightforward: the attack vector is network-based, requires no authentication, and no user interaction. An attacker can send specially crafted SSH protocol frames remotely. The attack complexity is low. A working exploit has been publicly disclosed, lowering the barrier to weaponization. Organizations should assume this is actively being scanned for and tested in the wild.

Remediation

Apply the security patch identified by commit hash 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 or upgrade to a patched version of libwebsockets released after the fix. Verify against the vendor advisory for the specific version number and release date. If immediate patching is not feasible, disable or unload the SSH protocol handler plugin if your application does not require SSH functionality, or restrict SSH access via network segmentation and firewalls to trusted sources only.

Patch guidance

The vendor has issued a fix referenced by commit hash 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. Consult the official libwebsockets repository or security advisory to identify the corresponding version release containing this commit. Test the patched version in a staging environment to confirm SSH functionality remains intact and resource consumption is normalized under load. Rollout patches to production systems on an expedited timeline given public exploit availability.

Detection guidance

Monitor SSH service logs for unusual connection patterns, rapid connection establishment and disconnection, or repeated malformed SSH handshakes from the same source. Network intrusion detection systems (IDS) may identify abnormal SSH protocol framing or oversized message length fields. Resource monitoring on systems running libwebsockets SSH components should trigger alerts on unexplained CPU or memory spikes coinciding with SSH traffic. Consider deploying rate-limiting on SSH endpoints to mitigate the attack surface.

Why prioritize this

Although the CVSS score is moderate (5.3), the vulnerability warrants prioritized remediation because: (1) exploit code is publicly available, increasing attack likelihood; (2) authentication is not required, making every SSH-enabled instance a potential target; (3) the vector is remote and low-complexity; (4) denial-of-service of administrative services can have outsized operational impact. Organizations should treat this as a priority patch candidate despite the medium severity rating.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-reachable attack requiring no privileges or user interaction, resulting in availability loss but no confidentiality or integrity impact. The score is moderate rather than high because the attack causes service degradation rather than system compromise or data exfiltration. However, the real-world risk is elevated by public exploit availability and the critical nature of SSH for infrastructure management, warranting prioritization above the raw score might suggest.

Frequently asked questions

Do I need to worry about this if I use libwebsockets for WebSockets but not SSH?

Only if your build explicitly includes and loads the SSH protocol handler plugin (plugins/protocol_lws_ssh_base). If SSH functionality is not compiled in or enabled, your application is not vulnerable. Review your build configuration or check if the SSH plugin is present in your deployment.

Can this vulnerability be exploited from inside a private network, or only from the internet?

The attack vector is classified as network-accessible (AV:N), meaning any attacker with network reachability to the SSH service can exploit it. This includes both internet-facing and internal network scenarios. However, firewall rules and network segmentation can restrict who can reach the vulnerable service.

What exactly happens when this vulnerability is exploited?

The attacker sends malformed SSH messages with manipulated message length parameters, causing the server to allocate or consume resources inefficiently. This leads to resource exhaustion (CPU, memory, or connection limits), causing the SSH service to become slow or unresponsive, denying legitimate users access to SSH functionality.

Is patching the only option, or are there workarounds?

Patching is the recommended solution. Interim mitigations include disabling the SSH protocol plugin if not needed, restricting SSH access via firewall rules to trusted networks or IPs, implementing rate-limiting on SSH connections, and monitoring for the attack pattern. However, these are temporary measures—patching should be prioritized.

This analysis is based on publicly disclosed vulnerability information and CVSS scoring as of the publication date. Exploit availability and attack prevalence may change. Verify all patch version numbers, commit hashes, and technical details against official vendor advisories before deployment. Security teams should conduct their own testing and validation in staging environments prior to production rollout. This document is for informational purposes and should not substitute for comprehensive security assessments tailored to your specific infrastructure and threat landscape. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).