CVE Alert: CVE-2025-11234 – Red Hat – Red Hat Enterprise Linux 10
CVE-2025-11234
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
AI Summary Analysis
Risk verdict
High potential for remote denial of service via the VNC WebSocket handshake; exploitation requires network access to the VNC port, and there is no current indication of active exploitation.
Why this matters
In virtualised environments, a DoS at the QEMU handshake stage can disrupt remote administration and guest VM availability, impacting uptime and service delivery. Because the flaw is triggered during handshake, an attacker could degrade or interrupt access to multiple VMs on affected hosts, with potential knock-on effects for dependent workloads and users.
Most likely attack path
Exploitation requires only network access to the VNC WebSocket interface (no credentials, no user interaction). The impact is confined by scope to the targeted host, but the remote nature and high availability impact make it a plausible, repeatable attack vector for service disruption.
Who is most exposed
organisations running Red Hat Enterprise Linux hosts with qemu-kvm (including OpenShift virtualization and advanced virtualization variants) where the VNC WebSocket port is reachable from management or other networks.
Detection ideas
- Surges in VNC handshake failures and qemu-kvm crash dumps.
- Delayed or repeated GSource callbacks or leak indicators linked to WebSocket handling.
- Memory pressure or unusual process termination on qemu-kvm during handshake.
- WebSocket session closures or abnormal termination logs on the VNC port.
Mitigation and prioritisation
- Apply vendor patches across affected RHEL versions when released; verify across 6–10 as applicable.
- Lock down VNC WebSocket exposure: firewall allowlists, restrict to trusted management networks; disable if not needed.
- Implement network segmentation and strict access controls around virtualization hosts.
- Test and deploy patch in staging before production; monitor for handshake stability and regression.
- If KEV is present or EPSS ≥ 0.5, treat as priority 1; otherwise aim for high-priority patching with change-control alignment.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
