Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A remote unauthenticated peer triggers memory exhaustion with no user interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only OOM DoS, so C:N/I:N/A:H.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS).
AnalysisAI
Denial of service in libsoup's WebSocket permessage-deflate implementation lets a remote, unauthenticated attacker crash applications by sending a small, highly compressed 'decompression bomb' that expands without bound during inflation, exhausting memory and triggering an Out-of-Memory kill. All Red Hat Enterprise Linux 6 through 10 ship the affected libsoup HTTP/WebSocket library, and client connections are especially exposed because the decompressed-size guard (max_total_message_size) is disabled by default for clients. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable libsoup peer negotiate the WebSocket permessage-deflate compression extension with the attacker - this is the exact enabling feature. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a network-reachable, low-complexity, unauthenticated, availability-only impact - no confidentiality or integrity loss, consistent with a pure DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates or compromises a WebSocket endpoint and waits for a libsoup-based client (for example a GNOME desktop app or WebKitGTK component) to connect and negotiate permessage-deflate. The attacker then sends a small, highly compressed frame that inflates to gigabytes, and because libsoup does not cap allocation during inflation the process consumes all available memory and is OOM-killed, denying service. … |
| Remediation | No vendor-released patched libsoup version was identified in the provided data - the references point to Red Hat's CVE page, Bugzilla 2499922, and GNOME GitLab issue 511 rather than a tagged fixed release, so monitor https://access.redhat.com/security/cve/CVE-2026-15709 and apply the distribution libsoup update as soon as Red Hat publishes fixed package NVRs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all production systems running RHEL 6-10 with WebSocket services enabled and disable WebSocket support where not operationally essential. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44408
GHSA-gv2g-7h3v-q5f3