Fedora Account System
Red Hat Associate
Red Hat Customer
A flaw was found in libsoup's HTTP/2 protocol parsing logic where processing malformed network frames can trigger a heap buffer over-read condition. Component / Vulnerable Part: libsoup -> HTTP/2 connection processing backend (soup-client-message-io-http2.c or similar HTTP/2 state engine components handling GOAWAY frames). Technical Analysis & Root Cause: When an HTTP/2 session receives a GOAWAY frame, the frame can contain an optional "Additional Debug Data" payload field. The libsoup library erroneously treats this debug data block as a standard, safely NUL-terminated C-string without explicitly verifying the payload length boundaries provided by the framing layer. If a remote peer constructs a malicious GOAWAY frame containing a debug string that lacks a terminating \0 byte within the bounds of the frame allocation, internal string functions will read past the allocated heap space looking for the delimiter. Impact: A remote attacker acting as a malicious HTTP/2 endpoint can transmit a specially crafted GOAWAY frame to read out-of-bounds heap memory. This results in an immediate application crash (Denial of Service) or potential information disclosure of adjacent memory metadata.