Bug 2442909 (CVE-2026-2436)

Summary: CVE-2026-2436 libsoup: libsoup: Denial of Service via use-after-free in SoupServer during TLS handshake
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-26 01:15:07 UTC 
SoupServer is vulnerable to use after free vulnerability because soup_server_disconnect() frees all SoupServerConnection objects, even if there is a pending GNUTLS handshake to be finished. 

A TLS handshake is initiated asynchronously. After creating the SoupServerConnection, libsoup calls g_tls_connection_handshake_async(), which registers tls_connection_handshake_ready_cb as a callback. The handshake runs in the background andthe callback fires later when it completes.
When the TLS handshake completes successfully, GNUTLS invokes tls_connection_handshake_ready_cb() asynchronously

soup_server_disconnect() is called ( due to some scenario, like a server restart, or other cases). This iterates through all active connections and disconnects them. When the last reference to a SoupServerConnection is dropped, soup_server_connection_finalize() is called, freeing the object. 
If the TLS handshake completes after soup_server_disconnect() has freed the connection object, tls_connection_handshake_ready_cb() still fires with a dangling pointer. The callback then calls soup_server_connection_connected(conn), which attempts to access the freed SoupServerConnection via soup_server_connection_get_iostream(), causing a crash