cve-2026-2436

CVE-2026-2436 is a use-after-free vulnerability in libsoup, the GNOME HTTP library. The flaw occurs in SoupServer when soup_server_disconnect() frees connection objects before a TLS handshake completes, leaving a dangling pointer that can be dereferenced later, causing a crash. The issue was reported by Red Hat, assigned CWE-825 (Expired Pointer Dereference), and carries a CVSS 3.1 score of 6.5 (Medium) with a network attack vector and no privileges required. This tag covers discussions about the vulnerability's impact, reproduction, and mitigation for Linux systems using libsoup.