Security update for libsoup

Announcement ID: SUSE-SU-2026:20752-1
Release Date: 2026-03-18T10:01:25Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2025-12105 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-12105 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2025-12105 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-14523 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
  • CVE-2025-14523 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
  • CVE-2025-14523 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
  • CVE-2025-32049 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-32049 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-32049 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-1467 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
  • CVE-2026-1467 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2026-1467 ( NVD ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
  • CVE-2026-1539 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
  • CVE-2026-1539 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
  • CVE-2026-1539 ( NVD ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
  • CVE-2026-1760 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
  • CVE-2026-1760 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
  • CVE-2026-1760 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-2369 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
  • CVE-2026-2369 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  • CVE-2026-2369 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  • CVE-2026-2443 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
  • CVE-2026-2443 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2026-2443 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2026-2443 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2026-2708 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
  • CVE-2026-2708 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Affected Products:
  • SUSE Linux Micro 6.2

An update that solves nine vulnerabilities can now be installed.

Description:

This update for libsoup fixes the following issues:

Update to libsoup 3.6.6:

  • CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion (bsc#1252555).
  • CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (bsc#1254876).
  • CVE-2025-32049: Denial of Service attack to websocket server (bsc#1240751).
  • CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
  • CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects (bsc#1257441).
  • CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request smuggling and potential DoS (bsc#1257597).
  • CVE-2026-2369: Buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
  • CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers (bsc#1258170).
  • CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).

Changelog:

  • websocket: Fix out-of-bounds read in process_frame
  • Check nulls returned by soup_date_time_new_from_http_string()
  • Numerous fixes to handling of Range headers
  • server: close the connection after responsing a request containing Content-Length and Transfer-Encoding
  • Use CRLF as line boundary when parsing chunked enconding data
  • websocket: do not accept messages frames after closing due to an error
  • Sanitize filename of content disposition header values
  • Always validate the headers value when coming from untrusted source
  • uri-utils: do host validation when checking if a GUri is valid
  • multipart: check length of bytes read soup_filter_input_stream_read_until()
  • message-headers: Reject duplicate Host headers
  • server: null-check soup_date_time_to_string()
  • auth-digest: fix crash in soup_auth_digest_get_protection_space()
  • session: fix 'heap-use-after-free' caused by 'finishing' queue item twice
  • cookies: Avoid expires attribute if date is invalid
  • http1: Set EOF flag once content-length bytes have been read
  • date-utils: Add value checks for date/time parsing
  • multipart: Fix multiple boundry limits
  • Fixed multiple possible memory leaks
  • message-headers: Correct merge of ranges
  • body-input-stream: Correct chunked trailers end detection
  • server-http2: Correctly validate URIs
  • multipart: Fix read out of buffer bounds under soup_multipart_new_from_message()
  • headers: Ensure Request-Line comprises entire first line
  • tests: Fix MSVC build error
  • Fix possible deadlock on init from gmodule usage
  • Updated translations.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.2
    zypper in -t patch SUSE-SL-Micro-6.2-402=1

Package List:

  • SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    • libsoup-3_0-0-debuginfo-3.6.6-160000.1.1
    • libsoup-3_0-0-3.6.6-160000.1.1
    • libsoup-debugsource-3.6.6-160000.1.1

References: