A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
The vulnerability requires debug logging to be enabled with the G_MESSAGES_DEBUG environment variable, e.g. G_MESSAGES_DEBUG=all or G_MESSAGES_DEBUG=libsoup-http2. Ensure this environment variable is not set.
References
History
Tue, 14 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A heap buffer over-read vulnerability was discovered in libsoup's HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents. | A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents. |
Tue, 14 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A heap buffer over-read vulnerability was discovered in libsoup's HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents. | |
| Title | Soupclientmessageiohttp2: libsoup3: libsoup: http/2 goaway frame parsing heap buffer over-read via invalid nul-termination assumption | |
| First Time appeared |
Redhat
Redhat enterprise Linux |
|
| Weaknesses | CWE-125 | |
| CPEs | cpe:/o:redhat:enterprise_linux:10 | |
| Vendors & Products |
Redhat
Redhat enterprise Linux |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-14T19:15:43.984Z
Reserved: 2026-07-14T09:55:11.765Z
Link: CVE-2026-15712
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses