CVE-2025-12105

Vulnerability

Description

A use-after-free vulnerability exists in libsoup's handling of asynchronous message queues during HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization, leading to a double-free condition [2][4]. This flaw originates from an incorrect assumption in the queue management logic, where a 'finished' callback can be invoked twice on the same item.

Exploitation

An attacker can exploit this vulnerability remotely by sending specially crafted HTTP/2 requests and triggering specific read and cancel sequences. The attack requires no authentication and can be performed over the network, making it a low-complexity exploit that only needs the ability to initiate HTTP/2 connections to the affected service [2]. The double-free results in a use-after-free memory access, which can corrupt the application's memory state.

Impact

Successful exploitation leads to an application crash, resulting in a denial of service condition. This can render services using libsoup (such as GNOME and WebKit-based applications) unavailable [1][2]. The vulnerability has a CVSS v3 base score of 7.5 (High), indicating significant potential for disruption.

Mitigation

Red Hat has released errata RHSA-2025:23437 and RHSA-2025:23139 to address this issue for Red Hat Enterprise Linux [1][3]. The upstream libsoup project has also provided a fix in merge request !481, which is included in subsequent releases [4]. Users are strongly advised to update their libsoup packages to the patched versions.