GNOME Libsoup

libsoup HTTP Range Header flaw may read arbitrary memory
CVE-2026-2443 5.3 - Medium - February 13, 2026

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.

Out-of-bounds Read

libsoup HTTP Request Smuggling via Malformed Chunk Headers
CVE-2026-1801 5.3 - Medium - February 03, 2026

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.

HTTP Request Smuggling

Libsoup Multipart HTTP Response Buffer Overflow CVE-2026-1761
CVE-2026-1761 8.6 - High - February 02, 2026

A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.

Stack Overflow

libsoup UAF via async HTTP/2 queue race causing remote DoS
CVE-2025-12105 7.5 - High - October 23, 2025

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.

Dangling pointer

libsoup OOB read via cookie date handling flaw
CVE-2025-11021 7.5 - High - September 26, 2025

A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.

Out-of-bounds Read

libsoup Vary header ignored in cache, info leakage risk (CVE-2025-9901)
CVE-2025-9901 5.9 - Medium - September 03, 2025

A flaw was found in libsoups caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Use of Cache Containing Sensitive Information

libsoup OOB Read in Multipart HTTP Termination Violation
CVE-2025-4969 6.5 - Medium - May 21, 2025

A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read).

Out-of-bounds Read

Libsoup Cookie Expiration Integer Overflow
CVE-2025-4945 3.7 - Low - May 19, 2025

A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.

Integer Overflow or Wraparound

libsoup Integer Underflow in multipart parsing leads to DoS
CVE-2025-4948 7.5 - High - May 19, 2025

A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.

Integer underflow

libsoup DoS via crafted WWW-Authenticate header
CVE-2025-4476 4.3 - Medium - May 16, 2025

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server.

NULL Pointer Dereference

libsoup Cookie Public Suffix Domain Bypass (CVE-2025-4035)
CVE-2025-4035 4.3 - Medium - April 29, 2025

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

Improper Handling of Case Sensitivity

libsoup Authorization Header Leak on HTTP Redirect (CVE-2025-46421)
CVE-2025-46421 6.8 - Medium - April 24, 2025

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Memory Leak in libsoup's soup_header_parse_quality_list()
CVE-2025-46420 6.5 - Medium - April 24, 2025

A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.

Memory Leak

libsoup UAF in soup_message_headers_get_content_disposition
CVE-2025-32911 9 - Critical - April 15, 2025

A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

Free of Memory not on the Heap

libsoup SoupContentSniffer NULL Pointer Deref in sniff_mp4
CVE-2025-32909 5.3 - Medium - April 14, 2025

A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

NULL Pointer Dereference

libsoup SoupAuthDigest NULL Deref (CVE-2025-32912)
CVE-2025-32912 6.5 - Medium - April 14, 2025

A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash.

NULL Pointer Dereference

libsoup Null ptr deref in auth_digest_authenticate causes client crash
CVE-2025-32910 6.5 - Medium - April 14, 2025

A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash.

NULL Pointer Dereference

libsoup OOB Read in soup_multipart_new_from_message()
CVE-2025-32914 7.4 - High - April 14, 2025

A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.

Out-of-bounds Read

NULL pointer deref in libsoup soup_message_headers_get_content_disposition
CVE-2025-32913 7.5 - High - April 14, 2025

A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

NULL Pointer Dereference

libsoup HTTP/2 pseudo-header validation flaw allows DoS
CVE-2025-32908 7.5 - High - April 14, 2025

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).

Misinterpretation of Input

libsoup HTTP Range Request Resource Exhaustion
CVE-2025-32907 5.3 - Medium - April 14, 2025

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.

Excessive Platform Resource Consumption within a Loop

libsoup DoS via malformed data URI in soup_uri_decode_data_uri
CVE-2025-32051 5.9 - Medium - April 03, 2025

A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service (DoS).

Improper Check for Unusual or Exceptional Conditions

Libsoup WebSocket DoS via Large Message Vulnerability
CVE-2025-32049 7.5 - High - April 03, 2025

A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).

Allocation of Resources Without Limits or Throttling

libsoup buffer under-read via append_param_quoted overflow
CVE-2025-32050 5.9 - Medium - April 03, 2025

A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.

Buffer Under-read

CVE-2025-32053 libsoup Heap OOR via sniff_feed & skip_insignificant
CVE-2025-32053 6.5 - Medium - April 03, 2025

A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.

Buffer Over-read

libsoup Heap Buffer Over-Read in sniff_unknown()
CVE-2025-32052 6.5 - Medium - April 03, 2025

A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.

Buffer Over-read

libsoup Heap Buffer Over-read via HTTP Skip Insight Whitespace
CVE-2025-2784 7 - High - April 03, 2025

A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

Out-of-bounds Read

GNOME libsoup HTTP Request Smuggling Vulnerability in Header Parsing
CVE-2024-52530 7.5 - High - November 11, 2024

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.

HTTP Request Smuggling

GNOME libsoup Buffer Overflow Vulnerability in UTF-8 Conversion
CVE-2024-52531 8.4 - High - November 11, 2024

GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response).

Memory Corruption

GNOME libsoup 3.x WebSocket Infinite Loop and Memory Consumption Vulnerability
CVE-2024-52532 7.5 - High - November 11, 2024

GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.

Infinite Loop

libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read
CVE-2019-17266 - October 06, 2019

libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy.

The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2
CVE-2018-12910 9.8 - Critical - July 05, 2018

The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.

Out-of-bounds Read

WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit
CVE-2018-11713 6.5 - Medium - June 04, 2018

WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.

An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58
CVE-2017-2885 9.8 - Critical - April 24, 2018

An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.

Memory Corruption