==========================================================================
Ubuntu Security Notice USN-8024-1
February 11, 2026

libwebsockets vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Libwebsockets.

Software Description:
- libwebsockets: C library for building WebSocket-based network applications

Details:

Raffaele Bova discovered that Libwebsockets incorrectly handled memory
when the upgrade header is not valid in the WebSocket server. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2025-11677)

Raffaele Bova discovered that Libwebsockets did not properly check the
size of the destination buffer in the async-dns component. An attacker
could possibly use this issue to cause applications to crash, leading to a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-11678)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  libwebsockets19t64              4.3.3-1.1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libwebsockets16                 4.0.20-2ubuntu1.1

Ubuntu 20.04 LTS
  libwebsockets15                 3.2.1-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8024-1
  CVE-2025-11677, CVE-2025-11678

Package Information:
  https://launchpad.net/ubuntu/+source/libwebsockets/4.0.20-2ubuntu1.1