CVE-2026-15712

Public on 2026-07-14
Modified on 2026-07-16
Description
A heap buffer over-read vulnerability was discovered in libsoup's HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.9
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core libsoup Not Affected
Amazon Linux 2023 libsoup Not Affected
Amazon Linux 2023 libsoup3 Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H