Bug 2499942 (CVE-2026-15714) - CVE-2026-15714 libsoup: SoupMultipartInputStream: libsoup: Out-of-bounds read in soup_multipart_input_stream_read_headers via an oversized multipart boundary string
Summary: CVE-2026-15714 libsoup: SoupMultipartInputStream: libsoup: Out-of-bounds read...
Keywords:
Status: NEW
Alias: CVE-2026-15714
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2500552 2500553 2500554
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-14 10:27 UTC by OSIDB Bzimport
Modified: 2026-07-14 19:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-14 10:27:13 UTC
Vulnerability Reference:

An out-of-bounds (OOB) read flaw was discovered in libsoup's multipart input streaming parser, allowing a remote attacker to trigger a crash or potentially expose sensitive memory contents.

Component / Vulnerable Part:

libsoup -> Multipart handling engine (libsoup/soup-multipart-input-stream.c -> soup_multipart_input_stream_read_headers())

Technical Analysis & Root Cause:

When an application utilizing a SoupSession parses a multipart MIME message response, it invokes soup_multipart_input_stream_read_headers() to extract contextual block structures. A validation vulnerability exists where the logic fails to enforce strict length limits on the incoming boundary string delimiter. If a malicious remote endpoint supplies an exceptionally large multipart boundary string, the internal memory pointer indexing calculations drift past the expected buffer boundaries, triggering an out-of-bounds read operation on the heap or stack layout.

Impact:

A remote, unauthenticated attacker serving a malformed multipart HTTP payload can cause the application process to terminate unexpectedly (Denial of Service) via a segmentation fault or glean layout information from adjacent memory locations.


Note You need to log in before you can comment on or make changes to this bug.