Skip to main content

libsoup EUVDEUVD-2026-44408

| CVE-2026-15709 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-14 redhat GHSA-gv2g-7h3v-q5f3
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

A remote unauthenticated peer triggers memory exhaustion with no user interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only OOM DoS, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:05 vuln.today
CVE Published
Jul 14, 2026 - 19:41 nvd
HIGH 7.5

DescriptionCVE.org

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS).

AnalysisAI

Denial of service in libsoup's WebSocket permessage-deflate implementation lets a remote, unauthenticated attacker crash applications by sending a small, highly compressed 'decompression bomb' that expands without bound during inflation, exhausting memory and triggering an Out-of-Memory kill. All Red Hat Enterprise Linux 6 through 10 ship the affected libsoup HTTP/WebSocket library, and client connections are especially exposed because the decompressed-size guard (max_total_message_size) is disabled by default for clients. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious WebSocket endpoint
Delivery
libsoup peer negotiates permessage-deflate
Exploit
Send tiny highly-compressed decompression-bomb frame
Execution
inflate() expands output with no memory bound
Persist
Unbounded allocation exhausts RAM
Impact
Process OOM-killed, denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable libsoup peer negotiate the WebSocket permessage-deflate compression extension with the attacker - this is the exact enabling feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a network-reachable, low-complexity, unauthenticated, availability-only impact - no confidentiality or integrity loss, consistent with a pure DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates or compromises a WebSocket endpoint and waits for a libsoup-based client (for example a GNOME desktop app or WebKitGTK component) to connect and negotiate permessage-deflate. The attacker then sends a small, highly compressed frame that inflates to gigabytes, and because libsoup does not cap allocation during inflation the process consumes all available memory and is OOM-killed, denying service. …
Remediation No vendor-released patched libsoup version was identified in the provided data - the references point to Red Hat's CVE page, Bugzilla 2499922, and GNOME GitLab issue 511 rather than a tagged fixed release, so monitor https://access.redhat.com/security/cve/CVE-2026-15709 and apply the distribution libsoup update as soon as Red Hat publishes fixed package NVRs. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all production systems running RHEL 6-10 with WebSocket services enabled and disable WebSocket support where not operationally essential. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Share

EUVD-2026-44408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy