Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2026:18772

Опубликовано: 28 мая 2026
Источник: rocky
Оценка: Moderate

Описание

Moderate: qemu-kvm security update

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es):

  • qemu-kvm: VNC WebSocket handshake use-after-free (CVE-2025-11234)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 9 Release Notes linked from the References section.

Затронутые продукты

  • Rocky Linux 9

НаименованиеАрхитектураРелизRPM
qemu-guest-agentx86_6417.el9_8qemu-guest-agent-10.1.0-17.el9_8.x86_64.rpm
qemu-imgx86_6417.el9_8qemu-img-10.1.0-17.el9_8.x86_64.rpm
qemu-kvmx86_6417.el9_8qemu-kvm-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-audio-pax86_6417.el9_8qemu-kvm-audio-pa-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-block-blkiox86_6417.el9_8qemu-kvm-block-blkio-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-block-curlx86_6417.el9_8qemu-kvm-block-curl-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-block-rbdx86_6417.el9_8qemu-kvm-block-rbd-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-commonx86_6417.el9_8qemu-kvm-common-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-corex86_6417.el9_8qemu-kvm-core-10.1.0-17.el9_8.x86_64.rpm
qemu-kvm-device-display-virtio-gpux86_6417.el9_8qemu-kvm-device-display-virtio-gpu-10.1.0-17.el9_8.x86_64.rpm

Показывать по

Связанные CVE

CVE-2025-11234

Ссылки на источники

Исправления

Связанные уязвимости

ubuntu логотип

CVE-2025-11234

CVSS3: 7.5
ubuntu
9 месяцев назад

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

redhat логотип

CVE-2025-11234

CVSS3: 7.5
redhat
9 месяцев назад

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

nvd логотип

CVE-2025-11234

CVSS3: 7.5
nvd
9 месяцев назад

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

msrc логотип

CVE-2025-11234

CVSS3: 7.5
msrc
9 месяцев назад

Qemu-kvm: vnc websocket handshake use-after-free

debian логотип

CVE-2025-11234

CVSS3: 7.5
debian
9 месяцев назад

A flaw was found in QEMU. If the QIOChannelWebsock object is freed whi ...