Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:N and PR:N per unauthenticated HTTP/2 delivery; AC:H per SSVC non-automatable; C:L added because description explicitly cites potential memory fragment exposure despite official C:N.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A heap buffer over-read vulnerability was discovered in libsoup's HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
AnalysisAI
Heap buffer over-read in libsoup's HTTP/2 GOAWAY frame parser allows remote unauthenticated attackers to crash applications or leak heap memory fragments by sending a malformed frame with a non-NUL-terminated Additional Debug Data payload. Affected deployments include applications built on libsoup running on Red Hat Enterprise Linux 10 that accept or initiate HTTP/2 connections. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target application must use libsoup to handle HTTP/2 connections - HTTP/2 must be negotiated between client and server (not HTTP/1.1). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H reflects a network-reachable, unauthenticated path but with high attack complexity - consistent with the SSVC Automatable:no rating, which signals that reliable, unsupervised exploitation requires non-trivial frame crafting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a malicious HTTP/2 server (or performing a man-in-the-middle position against a libsoup-based client) sends a GOAWAY frame whose Additional Debug Data field contains binary content with no NUL terminator. When libsoup's parser processes the frame, it calls a string function on the raw payload, reading past the allocated buffer until a NUL byte is found elsewhere in heap memory, crashing the application or leaking heap contents to the attacker. … |
| Remediation | No specific patched libsoup version number is confirmed in the available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44341
GHSA-9fmg-hf32-22c3