Description
A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).
Published: 2026-03-17
Score: 5.3 Medium
EPSS: 1.5% Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A flaw was discovered in libsoup, the library that handles HTTP requests. In its HTTP/2 server path a use‑after‑free condition allows a remote attacker to send specially crafted HTTP/2 frames that trigger the library to dereference freed memory. The result is instability or a crash of the application using libsoup, which in turn can bring the service down and cause a denial of service. The weakness is identified as CWE‑416.

Affected Systems

The vulnerability exists in the libsoup library shipped with Red Hat Enterprise Linux v6, v7, v8, v9, and v10 as listed in the provided CPE entries. The vendor’s CNA data confirms that these operating system releases contain the affected libsoup component, but specific package versions are not enumerated in the input.

Risk and Exploitability

The CVSS score of 5.3 points to a medium severity issue, while an EPSS score of less than 1% suggests that exploitation in the wild is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by contacting any service that receives HTTP/2 requests via libsoup; no special credentials or elevated privileges are needed. Successful exploitation results in a crash or instability of the target application, thereby denying availability to legitimate users.

Generated by OpenCVE AI on March 19, 2026 at 21:51 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Check for and apply any Red Hat update that addresses CVE-2026-4271.
  • If no patch is currently available, continue to monitor Red Hat security advisories for updates.
  • The provided workaround does not meet Red Hat product security criteria; no temporary mitigation is recommended.

Generated by OpenCVE AI on March 19, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome libsoup
Vendors & Products Gnome
Gnome libsoup

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 17 Mar 2026 11:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).
Title Libsoup: libsoup: denial of service via use-after-free in http/2 server
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-416
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gnome Libsoup
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-25T06:28:51.112Z

Reserved: 2026-03-16T14:43:58.712Z

Link: CVE-2026-4271

cve-icon Vulnrichment

Updated: 2026-03-17T12:58:28.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T12:16:13.280

Modified: 2026-03-19T19:33:46.743

Link: CVE-2026-4271

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-16T00:00:00Z

Links: CVE-2026-4271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:21Z

Weaknesses