Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0174

NIXPKGS-2026-0174
published on
Permalink CVE-2026-1761
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @jopejoe1 removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Libsoup: stack-based buffer overflow in libsoup multipart response parsingmultipart http response

A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.

References

Affected products

libsoup
  • *
libsoup3
  • *
spice-client-win
  • *
devspaces/udi-rhel9
  • *
devspaces/openvsx-rhel9
  • *
devspaces/pluginregistry-rhel9
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable 3.6.5
    • nixpkgs-unstable 3.6.5
    • nixos-unstable-small 3.6.5
  • nixos-25.11 -
    • nixos-25.11-small 3.6.5
    • nixpkgs-25.11-darwin 3.6.5

Package maintainers

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/493
Upstream patch: https://gitlab.gnome.org/GNOME/libsoup/-/commit/cfa9d90d1a5c274233554a264c56551c13d6a6f0