rpm package
suse/libsoup&distro=SUSE Linux Micro 6.2
pkg:rpm/suse/libsoup&distro=SUSE%20Linux%20Micro%206.2
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-2708 | Low | 3.7 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Apr 23, 2026 | A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. | |
| CVE-2026-2369 | Med | 6.5 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Mar 19, 2026 | A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service. | |
| CVE-2026-2443 | — | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Feb 13, 2026 | A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access port | ||
| CVE-2026-1761 | Hig | 8.6 | < 3.6.5-160000.4.1 | 3.6.5-160000.4.1 | Feb 2, 2026 | A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to m | |
| CVE-2026-1760 | Med | 5.3 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Feb 2, 2026 | A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially craft | |
| CVE-2026-1539 | — | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Jan 28, 2026 | A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirect | ||
| CVE-2026-1536 | — | < 3.6.5-160000.4.1 | 3.6.5-160000.4.1 | Jan 28, 2026 | A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allow | ||
| CVE-2026-1467 | — | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Jan 27, 2026 | A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit | ||
| CVE-2026-0716 | Med | 4.8 | < 3.6.5-160000.3.1 | 3.6.5-160000.3.1 | Jan 13, 2026 | A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or | |
| CVE-2026-0719 | Hig | 8.6 | < 3.6.5-160000.3.1 | 3.6.5-160000.3.1 | Jan 8, 2026 | A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This | |
| CVE-2025-14523 | Hig | 8.2 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Dec 11, 2025 | A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to on | |
| CVE-2025-12105 | Hig | 7.5 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Oct 23, 2025 | A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed tw | |
| CVE-2025-11021 | Hig | 7.5 | < 3.6.5-160000.3.1 | 3.6.5-160000.3.1 | Sep 26, 2025 | A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw coul | |
| CVE-2025-32049 | Hig | 7.5 | < 3.6.6-160000.1.1 | 3.6.6-160000.1.1 | Apr 3, 2025 | A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS). |
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields.
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service.
- CVE-2026-2443Feb 13, 2026affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access port
- affected < 3.6.5-160000.4.1fixed 3.6.5-160000.4.1
A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to m
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially craft
- CVE-2026-1539Jan 28, 2026affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirect
- CVE-2026-1536Jan 28, 2026affected < 3.6.5-160000.4.1fixed 3.6.5-160000.4.1
A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allow
- CVE-2026-1467Jan 27, 2026affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit
- affected < 3.6.5-160000.3.1fixed 3.6.5-160000.3.1
A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or
- affected < 3.6.5-160000.3.1fixed 3.6.5-160000.3.1
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to on
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed tw
- affected < 3.6.5-160000.3.1fixed 3.6.5-160000.3.1
A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw coul
- affected < 3.6.6-160000.1.1fixed 3.6.6-160000.1.1
A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).