Libsoup: incomplete fix for cve-2026-2443: range suffix overflow in libsoup soupserver
Description
The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Patches
Vulnerability mechanics
Root cause
"Missing clamping of `cur.start` to 0 after suffix-length calculation allows a negative start value to bypass the signed comparison check, producing a corrupted SoupRange."
Attack vector
An unauthenticated attacker sends a single HTTP request with a `Range` header containing a suffix length that exceeds the content size (e.g., `bytes=-101` on a 100-byte resource). The suffix calculation produces a negative `cur.start` value (`-101 + 100 = -1`), which the general signed comparison `cur.end < cur.start` evaluates as false (`99 < -1` is false). The corrupted `SoupRange` is then passed to the response builder, causing a malformed HTTP 206 response with an empty body, negative Content-Range header, and GLib-CRITICAL log flooding [ref_id=1].
Affected code
The vulnerability is in `soup-message-headers.c`, function `soup_message_headers_get_ranges_internal()`. The fix for CVE-2026-2443 was regressed by commit c1796442 / 00665d62 which replaced the inline overflow check with a general `cur.end < cur.start` comparison that fails to catch negative start values. All branches (master, libsoup-3-6, and 3.4.x releases) are affected [ref_id=1].
What the fix does
The advisory recommends clamping `cur.start` to 0 after the suffix calculation: after `cur.start = g_ascii_strtoll(spec, &end, 10) + total_length;`, add `if (cur.start < 0) cur.start = 0;`. This ensures that when the suffix length exceeds the total content length, the start offset is set to 0 rather than remaining negative, which aligns with RFC 9110 Section 14.1.2 ("If the selected representation is shorter than the specified suffix-length, the entire representation is used") [ref_id=1].
Preconditions
- configThe server must serve a resource with a known content length and accept Range requests.
- authNo authentication is required; the attack is a single unauthenticated HTTP request.
- networkThe attacker sends a crafted Range header with a suffix length greater than the resource size over HTTP.
- inputThe Range header value must be of the form `bytes=-N` where N exceeds the total content length.
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- access.redhat.com/security/cve/CVE-2026-12549mitrevdb-entryx_refsource_REDHAT
- access.redhat.com/security/cve/cve-2026-0716mitretechnical-descriptionx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.