{"schema_version":"1.7.2","id":"OESA-2026-2338","modified":"2026-05-15T14:02:43Z","published":"2026-05-15T14:02:43Z","upstream":["CVE-2025-12105","CVE-2025-14523","CVE-2025-32052","CVE-2025-32053","CVE-2025-46420","CVE-2025-4945","CVE-2025-4948","CVE-2025-4969","CVE-2026-0716","CVE-2026-1467","CVE-2026-1536","CVE-2026-1539"],"summary":"libsoup3 security update","details":"Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages.\r\n\r\nSecurity Fix(es):\n\nA flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.(CVE-2025-12105)\n\nA flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.(CVE-2025-14523)\n\nA flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.(CVE-2025-32052)\n\nA flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.(CVE-2025-32053)\n\nA flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.(CVE-2025-46420)\n\nA flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.(CVE-2025-4945)\n\nA flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.(CVE-2025-4948)\n\nA vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read).(CVE-2025-4969)\n\nA flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.(CVE-2026-0716)\n\nA flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.(CVE-2026-1467)\n\nA flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.(CVE-2026-1536)\n\nA flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.(CVE-2026-1539)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"libsoup3","purl":"pkg:rpm/openEuler/libsoup3&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.4-17.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["libsoup3-3.4.4-17.oe2403sp1.aarch64.rpm","libsoup3-debuginfo-3.4.4-17.oe2403sp1.aarch64.rpm","libsoup3-debugsource-3.4.4-17.oe2403sp1.aarch64.rpm","libsoup3-devel-3.4.4-17.oe2403sp1.aarch64.rpm"],"noarch":["libsoup3-help-3.4.4-17.oe2403sp1.noarch.rpm"],"src":["libsoup3-3.4.4-17.oe2403sp1.src.rpm"],"x86_64":["libsoup3-3.4.4-17.oe2403sp1.x86_64.rpm","libsoup3-debuginfo-3.4.4-17.oe2403sp1.x86_64.rpm","libsoup3-debugsource-3.4.4-17.oe2403sp1.x86_64.rpm","libsoup3-devel-3.4.4-17.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2338"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12105"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14523"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32052"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32053"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46420"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4945"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4948"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4969"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0716"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1467"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1536"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1539"}],"database_specific":{"severity":"High"}}