Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2025-11234

HIGH7.5

Qemu-kvm: vnc websocket handshake use-after-free

Published Oct 3, 2025

Modified 4 weeks ago

No fix available

Details

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

References

ADVISORYhttps://access.redhat.com/errata/RHSA-2025:23228 WEBhttps://access.redhat.com/security/cve/CVE-2025-11234 WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2401209 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-11234

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

Memory Safety

Ecosystems

Timeline

PublishedOct 3, 2025

ModifiedDec 17, 2025

CVE-2025-11234 | Mondoo Vulnerability Intelligence