Bug 2439091 (CVE-2026-2369)

Summary: CVE-2026-2369 libsoup: libsoup: Buffer overread due to integer underflow when handling zero-length resources
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2439118, 2439119    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-11 20:23:39 UTC 
Integer underflow in CVE-2025-32052 fix when resource_length=0

The fix for CVE-2025-32052 (commit a5b86bfc) introduces a potential integer underflow vulnerability when resource_length is 0.

Affected Code: libsoup/soup-content-sniffer.c, line 507

Issue: The patch changes the condition from: while ((index_stream < resource_length) && ...) to: while ((index_stream < resource_length - 1) && ...)

When buffer->length = 0:

resource_length = MIN(512, 0) = 0
resource_length - 1 underflows to UINT_MAX (gsize is unsigned)
Condition (0 < UINT_MAX) = TRUE
Loop executes on empty buffer → buffer overread
Fix: Add guard before has_ws path: if (resource_length == 0) continue;

This matches the pattern used in the else branch which already checks: if (resource_length < type_row->pattern_length) continue;

Patch :

--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -498,6 +498,11 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
 		if (!sniff_scriptable && type_row->scriptable)
 			continue;
 
+		/* Ensure we have data to sniff - prevents underflow in resource_length - 1 */
+		if (resource_length == 0)
+			continue;
+
 		if (type_row->has_ws) {
 			guint index_stream = 0;
 			guint index_pattern = 0;