Skip to main content

Libsoup CVE-2026-2369

MEDIUM
Integer Underflow (CWE-191)
2026-03-19 secalert@redhat.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 13:52 vuln.today
CVE Published
Mar 19, 2026 - 15:16 nvd
MEDIUM 6.5

DescriptionCVE.org

A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service.

AnalysisAI

libsoup versions prior to the patched release contain an integer underflow vulnerability in zero-length resource processing that enables unauthenticated remote attackers to read adjacent memory or trigger denial of service. The vulnerability stems from improper bounds checking during content handling, affecting any application using the vulnerable libsoup library for HTTP operations. No public exploit code has been identified, and the low EPSS score (0.04%, percentile 11%) indicates exploitation is unlikely in practice despite the moderate CVSS score of 6.5.

Technical ContextAI

libsoup is a GNOME HTTP client/server library used for HTTP protocol handling in numerous desktop and server applications. The vulnerability is rooted in CWE-191 (Integer Underflow or Wraparound), a class of arithmetic errors where integer values wrap to extremely large values when decremented below zero. When libsoup processes HTTP responses with zero-length resources, improper subtraction or size calculation causes an integer underflow, resulting in a massively inflated buffer size that permits reading beyond allocated memory boundaries. This class of vulnerability is distinct from traditional buffer overflows-the attacker does not inject data, but rather causes the application to read unintended memory regions due to incorrect arithmetic. The affected component processes HTTP entity bodies and metadata, meaning any libsoup-based HTTP client or server can be exploited remotely without authentication (PR:N per CVSS vector).

RemediationAI

Update libsoup to the patched version released by the GNOME project and distributed through your operating system's package manager. For Red Hat distributions, apply the security advisory available at https://access.redhat.com/security/cve/CVE-2026-2369. For Debian/Ubuntu systems, check the security advisories from your distribution vendor. Verify the exact patched version by consulting the vendor advisory; apply the update to all systems running libsoup-dependent applications (GNOME components, Evolution, and related tools). Until patching is possible, restrict HTTP traffic to trusted, authenticated peers where feasible, and disable HTTP client functionality in libsoup-based applications if not required for normal operation. Monitor for unexplained crashes or memory access errors in libsoup-based services, which may indicate exploitation attempts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.53 Container suse/sl-micro/6.0/toolbox:13.2-9.12 Affected
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed

Share

CVE-2026-2369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy