OESA-2026-2666

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages.

Security Fix(es):

A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).(CVE-2025-32049)

A flaw was found in libsoup. The libsoup appendparamquoted() function may contain an overflow bug resulting in a buffer under-read.(CVE-2025-32050)

A flaw was found in libsoup. The libsoup soupuridecodedatauri() function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service (DoS).(CVE-2025-32051)

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.(CVE-2025-32907)

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.(CVE-2026-1760)

A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the soup_server_disconnect() function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.(CVE-2026-2436)

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.(CVE-2026-2708)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP1 / libsoup3

Package

Name: libsoup3
Purl: pkg:rpm/openEuler/libsoup3&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.5-19.oe2403sp1

Ecosystem specific

{
    "src": [
        "libsoup3-3.4.5-19.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "libsoup3-3.4.5-19.oe2403sp1.x86_64.rpm",
        "libsoup3-debuginfo-3.4.5-19.oe2403sp1.x86_64.rpm",
        "libsoup3-debugsource-3.4.5-19.oe2403sp1.x86_64.rpm",
        "libsoup3-devel-3.4.5-19.oe2403sp1.x86_64.rpm"
    ],
    "aarch64": [
        "libsoup3-3.4.5-19.oe2403sp1.aarch64.rpm",
        "libsoup3-debuginfo-3.4.5-19.oe2403sp1.aarch64.rpm",
        "libsoup3-debugsource-3.4.5-19.oe2403sp1.aarch64.rpm",
        "libsoup3-devel-3.4.5-19.oe2403sp1.aarch64.rpm"
    ],
    "noarch": [
        "libsoup3-help-3.4.5-19.oe2403sp1.noarch.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-2666.json"