<Vulnerability name="CVE-2026-15712">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-14T10:00:00</PublicDate>
    <Bugzilla id="2499939" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499939" xml:lang="en:us">
SoupClientMessageIOHTTP2: libsoup3: libsoup: HTTP/2 GOAWAY frame parsing heap buffer over-read via invalid NUL-termination assumption
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-125</CWE>
    <Details xml:lang="en:us" source="Mitre">
A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability poses a moderate impact to system confidentiality and availability for software implementations leveraging libsoup for HTTP/2 client or server communications. An unauthenticated network adversary can manipulate frame characteristics to force memory parsing out-of-bounds without requiring special system privileges or user interaction. While primarily resulting in a denial of service via a segmentation fault, the risk of data exposure from adjacent heap allocations places this as a notable security boundary failure within the protocol decoding stack.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank cavid for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
The vulnerability requires debug logging to be enabled with the G_MESSAGES_DEBUG environment variable, e.g. G_MESSAGES_DEBUG=all or G_MESSAGES_DEBUG=libsoup-http2. Ensure this environment variable is not set.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>libsoup3</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15712
https://nvd.nist.gov/vuln/detail/CVE-2026-15712
https://gitlab.gnome.org/GNOME/libsoup/-/work_items/540
    </References>
</Vulnerability>