Untriaged
Permalink
CVE-2026-4271
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): LOW
Libsoup: libsoup: denial of service via use-after-free in http/2 server
A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).
References
- https://access.redhat.com/security/cve/CVE-2026-4271 x_refsource_REDHAT vdb-entry
- RHBZ#2448044 issue-tracking x_refsource_REDHAT
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/496
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/496 exploit
Affected products
libsoup
libsoup3
Matching in nixpkgs
pkgs.libsoup_3
HTTP client/server library for GNOME
pkgs.libsoup_2_4
HTTP client/server library for GNOME
pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22
Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
Package maintainers
-
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
-
@lovek323 Jason O'Conal <jason@oconal.id.au>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>