2448044 – (CVE-2026-4271) CVE-2026-4271 libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/2 server

Bug 2448044 (CVE-2026-4271) - CVE-2026-4271 libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/2 server

Summary: CVE-2026-4271 libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/...

Keywords:
Status:	NEW
Alias:	CVE-2026-4271
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2448045 2448046 2448047
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-16 14:46 UTC by OSIDB Bzimport
Modified:	2026-03-17 11:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-16 14:46:48 UTC

Use-After-Free vulnerability in the HTTP/2 server implementation of the libsoup HTTP library. The issue occurs in the on_frame_recv_callback() function when processing HTTP/2 frames. During header handling, the function increments an internal callback counter and emits signals such as soup_server_message_got_headers(). If a user-defined signal handler disconnects the client connection during this callback (for example due to authentication failure), the associated SoupServerMessageIOHTTP2 object may be destroyed and freed while still referenced by the callback. When execution returns to the callback, it continues to access the freed io object and attempts to update internal state, resulting in a heap use-after-free condition. An attacker can trigger this issue by sending HTTP/2 requests that cause authentication validation failures, potentially leading to application instability or crashes.

Note You need to log in before you can comment on or make changes to this bug.