Skip to main content

libsoup CVE-2025-12105

HIGH
Use After Free (CWE-416)
2025-10-23 secalert@redhat.com
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Remote unauthenticated trigger with crash-only impact gives A:H and C/I:N, but the timing-window race warrants AC:H rather than the input's AC:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 04:30 vuln.today
CVE Published
Oct 23, 2025 - 10:15 cve.org
HIGH 7.5

DescriptionCVE.org

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.

AnalysisAI

Remote denial-of-service in libsoup affects GNOME and WebKit-based applications that rely on the library for HTTP/2 client communication. A race in the asynchronous message-queue handling lets a queue item be freed twice when network operations are aborted at precise timing, producing a use-after-free that crashes the consuming application. Red Hat reported the issue and has shipped errata fixes; there is no public exploit identified at time of analysis and the flaw is confined to availability impact (no code execution or data exposure indicated).

Technical ContextAI

libsoup is the GLib/GNOME HTTP client and server library that underpins HTTP/2 communications for many desktop applications and WebKitGTK-based browsers and embedders. The defect lives in the asynchronous message queue used to track in-flight requests: when a connection's HTTP/2 read sequence and a cancel/abort occur at a specific interleaving, missing state synchronization allows the same queue item to be released twice, leaving a dangling pointer that is subsequently dereferenced. This is a classic CWE-416 Use-After-Free arising from a double-free/race condition rather than from attacker-controlled heap grooming, which is consistent with the observed crash-only impact. The upstream fix is tracked in GNOME GitLab merge request 481 against the libsoup project.

Affected ProductsAI

The affected component is the libsoup HTTP library as consumed by GNOME and WebKit-based applications for HTTP/2; exact upstream affected version ranges are not enumerated in the provided data and should be confirmed against the GNOME advisory (https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/481). Red Hat distributions are confirmed affected and addressed via errata RHSA-2025:23139 (https://access.redhat.com/errata/RHSA-2025:23139) and RHSA-2025:23437 (https://access.redhat.com/errata/RHSA-2025:23437), with tracking at https://access.redhat.com/security/cve/CVE-2025-12105 and https://bugzilla.redhat.com/show_bug.cgi?id=2405992. No CPE strings were supplied in the input, so precise version boundaries are not independently verifiable here.

RemediationAI

Apply the vendor-released patches: on Red Hat systems update libsoup to the fixed packages delivered by RHSA-2025:23139 (https://access.redhat.com/errata/RHSA-2025:23139) and RHSA-2025:23437 (https://access.redhat.com/errata/RHSA-2025:23437), and on other distributions upgrade to a libsoup build that incorporates GNOME merge request 481 (https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/481); the exact upstream tagged release version is not stated in the input and should be confirmed with your distribution. Because the library is loaded by many applications, restart or update all dependent services and browsers after patching so the fixed shared library is actually in use. If immediate patching is not possible, reduce exposure by limiting which HTTP/2 endpoints libsoup-based clients connect to - restrict applications to trusted servers and block or proxy outbound connections to untrusted HTTP/2 origins - accepting the trade-off that this constrains normal browsing/fetch functionality; where feasible, disabling HTTP/2 negotiation for affected clients avoids the vulnerable read/cancel path at the cost of falling back to HTTP/1.1 performance.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
Container suse/sl-micro/6.0/toolbox:latest Affected
SUSE Liberty Linux 10 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed

Share

CVE-2025-12105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy