Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0703-1 Final 1 1 2026-02-28T10:01:49Z current 2026-02-28T10:01:49Z 2026-02-28T10:01:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2026-0716: improper bounds handling may allow out-of-bounds read (bsc#1256418). - CVE-2025-4476: null pointer dereference may lead to denial of service (bsc#1243422). - CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751). - CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120). - CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers (bsc#1258170). - CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-703,SUSE-SLE-SERVER-12-SP5-LTSS-2026-703,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-703 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ Link for SUSE-SU-2026:0703-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024517.html E-Mail link for SUSE-SU-2026:0703-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240751 SUSE Bug 1240751 https://bugzilla.suse.com/1243422 SUSE Bug 1243422 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 https://bugzilla.suse.com/1258120 SUSE Bug 1258120 https://bugzilla.suse.com/1258170 SUSE Bug 1258170 https://bugzilla.suse.com/1258508 SUSE Bug 1258508 https://www.suse.com/security/cve/CVE-2025-32049/ SUSE CVE CVE-2025-32049 page https://www.suse.com/security/cve/CVE-2025-4476/ SUSE CVE CVE-2025-4476 page https://www.suse.com/security/cve/CVE-2026-0716/ SUSE CVE CVE-2026-0716 page https://www.suse.com/security/cve/CVE-2026-2369/ SUSE CVE CVE-2026-2369 page https://www.suse.com/security/cve/CVE-2026-2443/ SUSE CVE CVE-2026-2443 page https://www.suse.com/security/cve/CVE-2026-2708/ SUSE CVE CVE-2026-2708 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsoup-2_4-1-2.62.2-5.34.1 libsoup-2_4-1-32bit-2.62.2-5.34.1 libsoup-2_4-1-64bit-2.62.2-5.34.1 libsoup-devel-2.62.2-5.34.1 libsoup-devel-32bit-2.62.2-5.34.1 libsoup-devel-64bit-2.62.2-5.34.1 libsoup-lang-2.62.2-5.34.1 typelib-1_0-Soup-2_4-2.62.2-5.34.1 libsoup-2_4-1-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libsoup-2_4-1-32bit-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libsoup-devel-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libsoup-lang-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS typelib-1_0-Soup-2_4-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libsoup-2_4-1-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsoup-2_4-1-32bit-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsoup-devel-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsoup-lang-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 typelib-1_0-Soup-2_4-2.62.2-5.34.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS). CVE-2025-32049 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2025-32049.html CVE-2025-32049 https://bugzilla.suse.com/1240751 SUSE Bug 1240751 https://bugzilla.suse.com/1250562 SUSE Bug 1250562 A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server. CVE-2025-4476 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2025-4476.html CVE-2025-4476 https://bugzilla.suse.com/1243422 SUSE Bug 1243422 A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. CVE-2026-0716 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2026-0716.html CVE-2026-0716 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 unknown CVE-2026-2369 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2026-2369.html CVE-2026-2369 https://bugzilla.suse.com/1258120 SUSE Bug 1258120 A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component. CVE-2026-2443 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2026-2443.html CVE-2026-2443 https://bugzilla.suse.com/1258170 SUSE Bug 1258170 unknown CVE-2026-2708 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server 12 SP5-LTSS:typelib-1_0-Soup-2_4-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-2_4-1-32bit-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-devel-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsoup-lang-2.62.2-5.34.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:typelib-1_0-Soup-2_4-2.62.2-5.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260703-1/ https://www.suse.com/security/cve/CVE-2026-2708.html CVE-2026-2708 https://bugzilla.suse.com/1258508 SUSE Bug 1258508