PT-2026-58678 · Libsoup · Libsoup

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-15712

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions libsoup versions 3.0 through 3.7.0
Description A heap buffer over-read occurs in the HTTP/2 connection tracking framework when processing an HTTP/2 GOAWAY frame. The issue arises because the library assumes the Additional Debug Data payload is a NUL-terminated C-string and fails to perform strict length-boundary verification. A remote, unauthenticated attacker can send a malformed GOAWAY frame without the null delimiter, causing the library to read beyond the allocated buffer. This can lead to an application crash resulting in a denial of service (DoS) or the exposure of memory fragments.
Recommendations Update libsoup to a version later than 3.7.0.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15712

Affected Products

Libsoup