Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20360-1 Final 1 1 2026-01-19T11:45:24Z current 2026-01-19T11:45:24Z 2026-01-19T11:45:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2025-14523: flaw in HTTP header handling can lead to host header parsing discrepancy between servers and proxies and allow for request smuggling, cache poisoning and bypass of access controls (bsc#1254876). - CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion can lead to undefined behavior or crash (bsc#1252555). - CVE-2026-0716: Fixed out-of-bounds read for websocket (bsc#1256418). - CVE-2026-0719: Fixed overflow for password md4sum (bsc#1256399). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-379 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620360-1/ Link for SUSE-SU-2026:20360-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024323.html E-Mail link for SUSE-SU-2026:20360-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1252555 SUSE Bug 1252555 https://bugzilla.suse.com/1254876 SUSE Bug 1254876 https://bugzilla.suse.com/1256399 SUSE Bug 1256399 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 https://www.suse.com/security/cve/CVE-2025-12105/ SUSE CVE CVE-2025-12105 page https://www.suse.com/security/cve/CVE-2025-14523/ SUSE CVE CVE-2025-14523 page https://www.suse.com/security/cve/CVE-2026-0716/ SUSE CVE CVE-2026-0716 page https://www.suse.com/security/cve/CVE-2026-0719/ SUSE CVE CVE-2026-0719 page SUSE Linux Micro 6.1 libsoup-3_0-0-3.4.4-slfo.1.1_6.1 libsoup-3_0-0-3.4.4-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition. CVE-2025-12105 SUSE Linux Micro 6.1:libsoup-3_0-0-3.4.4-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620360-1/ https://www.suse.com/security/cve/CVE-2025-12105.html CVE-2025-12105 https://bugzilla.suse.com/1252555 SUSE Bug 1252555 A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers. CVE-2025-14523 SUSE Linux Micro 6.1:libsoup-3_0-0-3.4.4-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620360-1/ https://www.suse.com/security/cve/CVE-2025-14523.html CVE-2025-14523 https://bugzilla.suse.com/1254876 SUSE Bug 1254876 A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. CVE-2026-0716 SUSE Linux Micro 6.1:libsoup-3_0-0-3.4.4-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620360-1/ https://www.suse.com/security/cve/CVE-2026-0716.html CVE-2026-0716 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. CVE-2026-0719 SUSE Linux Micro 6.1:libsoup-3_0-0-3.4.4-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620360-1/ https://www.suse.com/security/cve/CVE-2026-0719.html CVE-2026-0719 https://bugzilla.suse.com/1256399 SUSE Bug 1256399