NIXPKGS-2026-0250

GitHub issue published on

Permalink CVE-2026-2443

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 1 week ago
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

Libsoup: out-of-bounds read in libsoup handle_partial_get() leading to heap information disclosure

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.

References

https://access.redhat.com/security/cve/CVE-2026-2443 vdb-entryx_refsource_REDHAT
RHBZ#2439671 issue-trackingx_refsource_REDHAT

Affected products

libsoup

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5
nixos-25.11 3.6.5
- nixos-25.11-small 3.6.5
- nixpkgs-25.11-darwin 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3
nixos-25.11 2.74.3
- nixos-25.11-small 2.74.3
- nixpkgs-25.11-darwin 2.74.3

Ignored packages (1)

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/487
Upstream patches:
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/739bf7cb509c20141093d5a7f553007c8af81129
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/00665d626255868ff4b6a30534f46e742478e232

Nixpkgs security tracker