CVE-2025-32914 - Vulnerability Details

- Libsoup: oob read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process

Description

A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.

Published: 2025-04-14

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the libsoup library allows a malicious HTTP client to trigger an out-of-bounds read when the soup_multipart_new_from_message() function processes a multipart message. This out-of-bounds read, identified as CWE-125, can cause the library to read beyond a buffer boundary, resulting in a crash or process exit and thus a denial of service.

Affected Systems

All specified Red Hat Enterprise Linux platforms—including RHEL 6, RHEL 7 with extended lifecycle or extended update support, RHEL 8 (versions 8.2, 8.4, 8.6 and 8.8), RHEL 9 (versions 9.0, 9.2, 9.4), and RHEL 10—contain the affected libsoup component and are therefore vulnerable.

Risk and Exploitability

With a CVSS score of 7.4, the vulnerability poses a high impact, but the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the CISA KEV catalog. The attack vector is likely a remote HTTP client sending a crafted multipart request to a server that uses libsoup, and the flaw only provides denial of service rather than remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 3.6.5

Red Hat

Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:3.6.5-3.el10_0`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:2.62.2-9.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:2.62.2-6.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:2.62.3-9.el8_10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:2.62.3-9.el8_10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.2 Advanced Update Support

affected

Version	Status	Constraints
`0:2.62.3-1.el8_2.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:2.62.3-2.el8_4.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:2.62.3-2.el8_6.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Telecommunications Update Service

affected

Version	Status	Constraints
`0:2.62.3-2.el8_6.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:2.62.3-2.el8_6.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.8 Extended Update Support

affected

Version	Status	Constraints
`0:2.62.3-3.el8_8.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:2.72.0-10.el9_6.2`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:2.72.0-8.el9_0.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.2 Extended Update Support

affected

Version	Status	Constraints
`0:2.72.0-8.el9_2.5`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.4 Extended Update Support

affected

Version	Status	Constraints
`0:2.72.0-8.el9_4.5`	unaffected	< *

Red Hat Red Hat Enterprise Linux 6 unknown —

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
libsoup3-0:3.6.5-3.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:7505	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
libsoup-0:2.62.2-6.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:9179	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8
libsoup-0:2.62.3-9.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8132	2025-05-26T00:00:00Z
libsoup-0:2.62.3-9.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2025:8132	2025-05-26T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
libsoup-0:2.62.3-1.el8_2.5	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:8480	2025-06-04T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
libsoup-0:2.62.3-2.el8_4.5	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:8663	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
libsoup-0:2.62.3-2.el8_6.5	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:8482	2025-06-04T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
libsoup-0:2.62.3-2.el8_6.5	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:8482	2025-06-04T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
libsoup-0:2.62.3-2.el8_6.5	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:8482	2025-06-04T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
libsoup-0:2.62.3-3.el8_8.5	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:8252	2025-05-28T00:00:00Z
Red Hat Enterprise Linux 9
libsoup-0:2.72.0-10.el9_6.2	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:8126	2025-05-26T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
libsoup-0:2.72.0-8.el9_0.5	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:8481	2025-06-04T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
libsoup-0:2.72.0-8.el9_2.5	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:8140	2025-05-26T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
libsoup-0:2.72.0-8.el9_4.5	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:8139	2025-05-26T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Currently, no mitigation is available for this vulnerability.

OpenCVE Recommended Actions

Apply the Red Hat security errata that updates the libsoup package for the affected RHEL version (e.g., RHSA-2025:21657).
Restart any services that link against libsoup to ensure the updated library is loaded.
Monitor Red Hat advisories for additional patches or interim mitigations and apply them promptly.

Generated by OpenCVE AI on April 22, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4140-1	libsoup2.4 security update
EUVD	EUVD-2025-10884	A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.
Ubuntu USN	USN-7490-1	libsoup vulnerabilities
Ubuntu USN	USN-7490-3	libsoup vulnerabilities
Ubuntu USN	USN-7643-1	libsoup vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00521.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:21657
https://access.redhat.com/errata/RHSA-2025:7505
https://access.redhat.com/errata/RHSA-2025:8126
https://access.redhat.com/errata/RHSA-2025:8132
https://access.redhat.com/errata/RHSA-2025:8139
https://access.redhat.com/errata/RHSA-2025:8140
https://access.redhat.com/errata/RHSA-2025:8252
https://access.redhat.com/errata/RHSA-2025:8480
https://access.redhat.com/errata/RHSA-2025:8481
https://access.redhat.com/errata/RHSA-2025:8482
https://access.redhat.com/errata/RHSA-2025:8663
https://access.redhat.com/errata/RHSA-2025:9179
https://access.redhat.com/security/cve/CVE-2025-32914
https://bugzilla.redhat.com/show_bug.cgi?id=2359358
https://gitlab.gnome.org/GNOME/libsoup/-/issues/436
https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html
https://nvd.nist.gov/vuln/detail/CVE-2025-32914
https://www.cve.org/CVERecord?id=CVE-2025-32914

History

Wed, 22 Apr 2026 10:45:00 +0000

Type	Values Removed	Values Added
References		https://gitlab.gnome.org/GNOME/libsoup/-/issues/436

Tue, 18 Nov 2025 09:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2025:21657

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html

Tue, 17 Jun 2025 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~	cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2025:9179

Tue, 10 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.4

Mon, 09 Jun 2025 10:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/o:redhat:rhel_aus:8.4::baseos
References		https://access.redhat.com/errata/RHSA-2025:8663

Fri, 06 Jun 2025 22:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_tus:8.6

Wed, 04 Jun 2025 04:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos
Vendors & Products		Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:8482

Wed, 04 Jun 2025 04:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_e4s:9.0::appstream cpe:/o:redhat:rhel_aus:8.2::baseos
Vendors & Products		Redhat rhel Aus Redhat rhel E4s
References		https://access.redhat.com/errata/RHSA-2025:8480 https://access.redhat.com/errata/RHSA-2025:8481

Wed, 28 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:8.8

Wed, 28 May 2025 08:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:8.8::appstream cpe:/o:redhat:rhel_eus:8.8::baseos
References		https://access.redhat.com/errata/RHSA-2025:8252

Tue, 27 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:rhel_eus:9.2 cpe:/o:redhat:enterprise_linux:8

Mon, 26 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_eus:9.4

Mon, 26 May 2025 12:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/o:redhat:enterprise_linux:8::baseos
References		https://access.redhat.com/errata/RHSA-2025:8132 https://access.redhat.com/errata/RHSA-2025:8140

Mon, 26 May 2025 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.4::appstream
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:8139

Mon, 26 May 2025 07:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2025:8126

Tue, 13 May 2025 23:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:7505

Tue, 15 Apr 2025 02:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-32914 https://www.cve.org/CVERecord?id=CVE-2025-32914
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 14 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Apr 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.
Title		Libsoup: oob read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-125
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-32914 https://bugzilla.redhat.com/show_bug.cgi?id=2359358
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Subscriptions

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-04-14T14:45:46.300Z

Updated: 2026-04-22T10:17:04.492Z

Reserved: 2025-04-14T01:59:13.828Z

Link: CVE-2025-32914

Vulnrichment

Updated: 2025-11-03T19:53:48.959Z

NVD

Status : Deferred

Published: 2025-04-14T15:15:25.633

Modified: 2026-04-22T11:16:02.600

Link: CVE-2025-32914

Redhat

Severity : Moderate

Publid Date: 2025-04-14T00:00:00Z

Links: CVE-2025-32914 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object