Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20529-1 Final 1 1 2026-03-02T13:19:17Z current 2026-03-02T13:19:17Z 2026-03-02T13:19:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion. (bsc#1252555) - CVE-2025-32049: Fixed a Denial of Service attack to websocket server. (bsc#1240751) - CVE-2026-2443: Fixed an out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers. (bsc#1258170) - CVE-2026-2369: Fixed a buffer overread due to integer underflow when handling zero-length resources. (bsc#1258120) - CVE-2026-2708: Fixed HTTP request smuggling via duplicate Content-Length headers. (bsc#1258508) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-601 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ Link for SUSE-SU-2026:20529-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024525.html E-Mail link for SUSE-SU-2026:20529-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240751 SUSE Bug 1240751 https://bugzilla.suse.com/1252555 SUSE Bug 1252555 https://bugzilla.suse.com/1258120 SUSE Bug 1258120 https://bugzilla.suse.com/1258170 SUSE Bug 1258170 https://bugzilla.suse.com/1258508 SUSE Bug 1258508 https://www.suse.com/security/cve/CVE-2025-12105/ SUSE CVE CVE-2025-12105 page https://www.suse.com/security/cve/CVE-2025-32049/ SUSE CVE CVE-2025-32049 page https://www.suse.com/security/cve/CVE-2026-2369/ SUSE CVE CVE-2026-2369 page https://www.suse.com/security/cve/CVE-2026-2443/ SUSE CVE CVE-2026-2443 page https://www.suse.com/security/cve/CVE-2026-2708/ SUSE CVE CVE-2026-2708 page SUSE Linux Micro 6.0 libsoup-3_0-0-3.4.2-13.1 libsoup-3_0-0-3.4.2-13.1 as a component of SUSE Linux Micro 6.0 A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition. CVE-2025-12105 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ https://www.suse.com/security/cve/CVE-2025-12105.html CVE-2025-12105 https://bugzilla.suse.com/1252555 SUSE Bug 1252555 A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS). CVE-2025-32049 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ https://www.suse.com/security/cve/CVE-2025-32049.html CVE-2025-32049 https://bugzilla.suse.com/1240751 SUSE Bug 1240751 https://bugzilla.suse.com/1250562 SUSE Bug 1250562 unknown CVE-2026-2369 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ https://www.suse.com/security/cve/CVE-2026-2369.html CVE-2026-2369 https://bugzilla.suse.com/1258120 SUSE Bug 1258120 A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component. CVE-2026-2443 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ https://www.suse.com/security/cve/CVE-2026-2443.html CVE-2026-2443 https://bugzilla.suse.com/1258170 SUSE Bug 1258170 unknown CVE-2026-2708 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/ https://www.suse.com/security/cve/CVE-2026-2708.html CVE-2026-2708 https://bugzilla.suse.com/1258508 SUSE Bug 1258508