Description
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
Published: 2026-02-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential disclosure of heap memory contents via an out‑of‑bounds read in libsoup's handle_partial_get()
Action: Apply update
AI Analysis

Impact

An out‑of‑bounds read flaw exists in libsoup, the HTTP library used in GNOME‑based systems. By sending specially crafted HTTP Range headers, a remote attacker can cause the library to improperly validate byte ranges and read memory beyond the intended server response. This allows the attacker to exfiltrate portions of server heap memory, potentially leaking sensitive data.

Affected Systems

The vulnerability affects all supported Red Hat Enterprise Linux releases from 6 through 10, as these systems embed the affected libsoup library. It also impacts any GNOME‑based installations that incorporate the vulnerable libsoup component. Users of these operating systems or applications relying on libsoup should verify whether the library has been updated to the patched revision.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is less than 1 %, suggesting a low probability of exploitation at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to reach a server running the vulnerable SoupServer component and the ability to send crafted HTTP requests. Because the flaw is limited to memory disclosure rather than remote code execution, the overall impact is primarily confidentiality compromise, with modest complexity for an attacker.

Generated by OpenCVE AI on April 16, 2026 at 06:51 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Install the latest Red Hat Enterprise Linux update that includes the patched libsoup library.
  • If an update cannot be applied immediately, disable or limit the use of the SoupServer component or block HTTP Range header processing on the affected services.
  • Subscribe to Red Hat Security Advisories and apply fixes as soon as they become available.

Generated by OpenCVE AI on April 16, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
References

Mon, 23 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome libsoup
CPEs cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Gnome
Gnome libsoup

Sat, 14 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat enterprise Linux
Vendors & Products Red Hat
Red Hat enterprise Linux

Fri, 13 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
Title Libsoup: out-of-bounds read in libsoup handle_partial_get() leading to heap information disclosure
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-125
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gnome Libsoup
Red Hat Enterprise Linux
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-23T19:19:48.562Z

Reserved: 2026-02-13T04:32:46.051Z

Link: CVE-2026-2443

cve-icon Vulnrichment

Updated: 2026-02-13T12:43:07.003Z

cve-icon NVD

Status : Modified

Published: 2026-02-13T12:16:09.107

Modified: 2026-03-23T20:16:25.643

Link: CVE-2026-2443

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-13T00:00:00Z

Links: CVE-2026-2443 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses