Bug 2499939 (CVE-2026-15712) - CVE-2026-15712 SoupClientMessageIOHTTP2: libsoup3: libsoup: HTTP/2 GOAWAY frame parsing heap buffer over-read via invalid NUL-termination assumption
Summary: CVE-2026-15712 SoupClientMessageIOHTTP2: libsoup3: libsoup: HTTP/2 GOAWAY fra...
Keywords:
Status: NEW
Alias: CVE-2026-15712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2500132
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-14 10:03 UTC by OSIDB Bzimport
Modified: 2026-07-14 18:52 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-14 10:03:18 UTC
A flaw was found in libsoup's HTTP/2 protocol parsing logic where processing malformed network frames can trigger a heap buffer over-read condition.

Component / Vulnerable Part:

libsoup -> HTTP/2 connection processing backend (soup-client-message-io-http2.c or similar HTTP/2 state engine components handling GOAWAY frames).

Technical Analysis & Root Cause:

When an HTTP/2 session receives a GOAWAY frame, the frame can contain an optional "Additional Debug Data" payload field. The libsoup library erroneously treats this debug data block as a standard, safely NUL-terminated C-string without explicitly verifying the payload length boundaries provided by the framing layer. If a remote peer constructs a malicious GOAWAY frame containing a debug string that lacks a terminating \0 byte within the bounds of the frame allocation, internal string functions will read past the allocated heap space looking for the delimiter.

Impact:

A remote attacker acting as a malicious HTTP/2 endpoint can transmit a specially crafted GOAWAY frame to read out-of-bounds heap memory. This results in an immediate application crash (Denial of Service) or potential information disclosure of adjacent memory metadata.


Note You need to log in before you can comment on or make changes to this bug.