Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-03-16T00:00:00 libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/2 server 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CWE-416

A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).

This MODERATE impact use-after-free flaw in libsoup's HTTP/2 server implementation affects applications that use libsoup to handle HTTP/2 server callbacks. An attacker can trigger this by sending HTTP/2 requests that cause authentication validation failures, potentially leading to application instability or crashes. Red Hat products are affected if they leverage libsoup as an HTTP/2 server and disconnect client connections during header processing. Red Hat would like to thank fouzhe for reporting this issue. Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Red Hat Enterprise Linux 10 Affected libsoup3 Red Hat Enterprise Linux 6 Affected libsoup Red Hat Enterprise Linux 7 Affected libsoup Red Hat Enterprise Linux 8 Affected libsoup Red Hat Enterprise Linux 9 Affected libsoup https://www.cve.org/CVERecord?id=CVE-2026-4271 https://nvd.nist.gov/vuln/detail/CVE-2026-4271 https://gitlab.gnome.org/GNOME/libsoup/-/issues/496