📄 Description (English)
A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.
🤖 AI Executive Summary
CVE-2026-10650 is a medium-severity denial-of-service vulnerability in libwebsockets SSH protocol handler affecting versions up to 4.5.8. A remote attacker can manipulate the msg_len argument to cause excessive resource consumption, potentially disrupting SSH-based services. While a patch commit exists, official releases may not yet include the fix, requiring immediate assessment of affected deployments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 4, 2026 07:01
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using libwebsockets for SSH-based remote access and management: (1) Government agencies and NCA infrastructure relying on SSH for secure administration; (2) Banking sector (SAMA-regulated) using SSH for secure inter-bank communications and critical system management; (3) Energy sector (ARAMCO, SEC) utilizing SSH for SCADA and industrial control system access; (4) Telecom operators (STC, Mobily, Zain) managing network infrastructure via SSH; (5) Healthcare institutions using SSH for secure data transmission. The DoS impact could disrupt critical administrative access during operational hours.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecommunications
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems using libwebsockets versions ≤4.5.8, particularly those with SSH protocol handler enabled
2. Assess if SSH functionality is actively used; disable if not required
3. Implement network-level rate limiting on SSH ports (22, custom SSH ports)
4. Enable SSH connection logging and monitor for abnormal msg_len values
Patching Guidance:
1. Apply commit 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 from libwebsockets repository if building from source
2. Monitor for official libwebsockets 4.5.9+ release and upgrade immediately upon availability
3. Test patches in non-production environments first
Compensating Controls:
1. Implement SSH access controls via firewall rules (whitelist trusted IPs)
2. Deploy IDS/IPS rules to detect malformed SSH protocol messages with abnormal msg_len values
3. Configure SSH connection timeouts and resource limits (MaxStartups, MaxSessions)
4. Monitor system resource utilization (CPU, memory) for anomalies during SSH sessions
5. Implement SSH key-based authentication only; disable password authentication
Detection Rules:
1. Alert on SSH connections with unusually large msg_len values in protocol parsing
2. Monitor for sustained high CPU/memory usage correlating with SSH connections
3. Track failed SSH authentication attempts and connection resets
4. Log and alert on libwebsockets error messages related to SSH protocol parsing
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تستخدم إصدارات libwebsockets ≤4.5.8، خاصة تلك التي تفعّل معالج بروتوكول SSH
2. تقييم ما إذا كانت وظيفة SSH مستخدمة بنشاط؛ تعطيلها إن لم تكن مطلوبة
3. تطبيق تحديد معدل على مستوى الشبكة على منافذ SSH (22، منافذ SSH المخصصة)
4. تفعيل تسجيل اتصالات SSH ومراقبة قيم msg_len غير الطبيعية
إرشادات التصحيح:
1. تطبيق التزام 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 من مستودع libwebsockets عند البناء من المصدر
2. مراقبة إصدار libwebsockets 4.5.9+ الرسمي والترقية فوراً عند توفره
3. اختبار التصحيحات في بيئات غير الإنتاج أولاً
الضوابط البديلة:
1. تطبيق ضوابط الوصول إلى SSH عبر قواعد جدار الحماية (قائمة بيضاء للعناوين الموثوقة)
2. نشر قواعد IDS/IPS للكشف عن رسائل بروتوكول SSH المشوهة بقيم msg_len غير طبيعية
3. تكوين مهلات اتصال SSH وحدود الموارد (MaxStartups، MaxSessions)
4. مراقبة استخدام موارد النظام (CPU، الذاكرة) للشذوذ أثناء جلسات SSH
5. تطبيق مصادقة SSH القائمة على المفاتيح فقط؛ تعطيل مصادقة كلمة المرور
قواعد الكشف:
1. تنبيه على اتصالات SSH بقيم msg_len كبيرة بشكل غير عادي في تحليل البروتوكول
2. مراقبة استخدام CPU/الذاكرة المرتفع المستمر المرتبط باتصالات SSH
3. تتبع محاولات مصادقة SSH الفاشلة وإعادة تعيين الاتصالات
4. تسجيل والتنبيه على رسائل خطأ libwebsockets المتعلقة بتحليل بروتوكول SSH
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Security patch management
DE.CM-8 - Vulnerability scans and assessments
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.2.1 - Change management
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/p...
cna@vuldb.com
https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc
cna@vuldb.com
https://github.com/warmcat/libwebsockets/
cna@vuldb.com
https://github.com/warmcat/libwebsockets/commit/3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10650
cna@vuldb.com
https://vuldb.com/submit/830261
cna@vuldb.com
https://vuldb.com/vuln/367955
cna@vuldb.com
https://vuldb.com/vuln/367955/cti
cna@vuldb.com