SoupServer is vulnerable to use after free vulnerability because soup_server_disconnect() frees all SoupServerConnection objects, even if there is a pending GNUTLS handshake to be finished. 

A TLS handshake is initiated asynchronously. After creating the SoupServerConnection, libsoup calls g_tls_connection_handshake_async(), which registers tls_connection_handshake_ready_cb as a callback. The handshake runs in the background andthe callback fires later when it completes.
When the TLS handshake completes successfully, GNUTLS invokes tls_connection_handshake_ready_cb() asynchronously

soup_server_disconnect() is called ( due to some scenario, like a server restart, or other cases). This iterates through all active connections and disconnects them. When the last reference to a SoupServerConnection is dropped, soup_server_connection_finalize() is called, freeing the object. 
If the TLS handshake completes after soup_server_disconnect() has freed the connection object, tls_connection_handshake_ready_cb() still fires with a dangling pointer. The callback then calls soup_server_connection_connected(conn), which attempts to access the freed SoupServerConnection via soup_server_connection_get_iostream(), causing a crash