Bug 2405992 (CVE-2025-12105)

Summary: CVE-2025-12105 libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2405993, 2405994, 2405995, 2405996, 2405997, 2405998    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-23 08:33:50 UTC
A Heap Use-After-Free vulnerability was found in the queue item management logic of the libsoup HTTP client library. The flaw occurs when a queued message is “finished” twice under specific timing conditions during asynchronous read operations. When the run_until_read_done() function attempts to finalize an already-finished item, memory previously freed is accessed again, resulting in undefined behavior or a crash. This condition can be triggered remotely via crafted HTTP/2 request sequences or abrupt connection terminations. Exploitation does not require authentication or user interaction, and can lead to application crashes or denial of service in software using libsoup for network communications.

Comment 1 errata-xmlrpc 2025-12-11 17:42:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23139 https://access.redhat.com/errata/RHSA-2025:23139

Comment 2 errata-xmlrpc 2025-12-17 07:27:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:23437 https://access.redhat.com/errata/RHSA-2025:23437