Skip to main content

libsoup CVE-2026-12478

| EUVDEUVD-2026-43651 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-14 redhat GHSA-6jpc-6452-qwq2
4.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
vuln.today AI
4.8 MEDIUM

Network vector (attacker is the server); AC:H for dual precondition of max_incoming_payload_size=0 and attacker-controlled endpoint; no auth required from attacker's server role; OOB read yields only limited memory disclosure and potential crash.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 10:17 vuln.today
CVE Published
Jul 14, 2026 - 09:26 cve.org
MEDIUM 4.8

DescriptionCVE.org

The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.

AnalysisAI

Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls or MITMs WebSocket server
Delivery
Victim client (libsoup, max_incoming_payload_size=0) connects
Exploit
Server sends unmasked frame with length near UINT64_MAX
Execution
Overflow guard bypassed on unmasked code path
Persist
Integer wraparound corrupts buffer length calculation
Impact
OOB read yields memory disclosure or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires ALL of the following: (1) the target application uses libsoup for WebSocket client connectivity; (2) the application sets `max_incoming_payload_size` to exactly 0 - this is an explicit developer choice, not the default behavior, as 0 signals 'no limit'; (3) the client connects to a server under attacker control, or the connection is subject to a man-in-the-middle attack enabling frame injection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.8 (Medium) is consistent with the realistic threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating or compromising a WebSocket server sends a crafted unmasked frame with a payload-length field set to a value near UINT64_MAX. A libsoup-based client application configured with `max_incoming_payload_size=0` processes this frame, bypasses the integer overflow guard (which only runs on the masked path), and performs arithmetic that wraps around, directing reads into out-of-bounds memory - potentially leaking heap contents or crashing the client process. …
Remediation The upstream fix is available as libsoup GitLab merge request 518 at https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/518; however, a released tagged version incorporating this fix has not been independently confirmed from the available data - treat this as an upstream fix available via PR/commit rather than a shipped patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Share

CVE-2026-12478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy