CVE-2026-15712: libsoup HTTP/2 GOAWAY Bug Crashes Apps

CVE-2026-15712 exposes a heap buffer over-read in libsoup 3.0 through 3.7.0 that can let an unauthenticated remote peer crash an application processing HTTP/2 traffic. The flaw sits in the library’s handling of the HTTP/2 GOAWAY frame’s optional “Additional Debug Data” field, where the parser reportedly treats attacker-controlled bytes as though they were safely NUL-terminated C text.
According to the CVE record published by Red Hat and mirrored by the National Vulnerability Database, a malformed GOAWAY frame without the expected terminating byte can make libsoup read past the allocated heap buffer. The immediate, documented consequence is denial of service; the record also warns that fragments of process memory could potentially be exposed.
Red Hat assigned a CVSS 3.1 base score of 5.9, rated Medium, using a vector that reflects network reachability, no required privileges, no user interaction, and high availability impact. The attack complexity is rated High, an important qualifier that should keep teams from treating this as a generic “patch everything immediately” emergency—while not mistaking that rating for safety.
The timeline is unusually compressed. Red Hat added the CVE on July 14, 2026; the NVD entry was last modified on July 15; and the supplied record metadata shows publication on July 17. NVD also says it does not plan to prioritize enrichment of this record, so administrators should not wait for an NVD-authored severity assessment or expanded affected-product analysis before reviewing their own exposure.

Cybersecurity illustration depicting an HTTP/2 vulnerability corrupting Linux heap memory across Windows and WSL.A GOAWAY Frame Becomes a Process Crash​

HTTP/2’s GOAWAY frame is designed to signal that a connection is shutting down or should not accept new streams. It can carry an optional diagnostic payload, but such data is still protocol input from the network—not inherently a conventional C string.
That distinction is the heart of CVE-2026-15712. The vulnerability description says libsoup’s HTTP/2 connection tracking code assumes the debug-data payload has a NUL terminator. If a malicious peer supplies a payload that reaches the end of its allocated buffer without that terminator, a string-oriented read can continue beyond the valid boundary.
This is classified as CWE-125, an out-of-bounds read. In the most dependable scenario, reading invalid memory destabilizes the application and causes a crash. The more difficult-to-characterize scenario is information disclosure: depending on compiler behavior, allocator state, runtime checks, logging, and how the resulting data is surfaced, adjacent memory could conceivably be observed.
That does not make this a confirmed remote-code-execution issue. Neither Red Hat’s description nor the current NVD record describes code execution, privilege escalation, authentication bypass, or integrity impact. The practical risk today is service reliability for software that exposes a vulnerable libsoup HTTP/2 client connection to an untrusted server or intermediary.

The Windows Estate Is More Likely to Meet This Through Linux Workloads​

libsoup is a GNOME-oriented HTTP library, so this is not a typical native Windows component or a Windows Update issue. But that does not put the vulnerability outside a Windows-centric environment.
Windows administrators should look for libsoup in the Linux portions of their fleets: WSL distributions used for development or automation, Docker or Podman containers running on Windows hosts, Linux CI agents administered from Windows, and cross-platform desktop software whose Linux builds use GNOME and GLib components. A developer’s Windows workstation can be relevant if its WSL image, test container, or remote Linux build environment processes HTTP/2 connections through libsoup.
The exposure condition matters. A vulnerable application must use affected libsoup code and must process HTTP/2 traffic from a hostile or compromised endpoint. Typical examples could include a service or desktop application that makes outbound HTTP/2 requests to user-supplied URLs, connects to third-party APIs, follows redirects across trust boundaries, or traverses an interception proxy that could inject malformed protocol traffic.
This is therefore not a flaw that can be assessed by simply asking whether a machine has “HTTP/2 enabled.” The more useful question is whether an application linked against libsoup 3.x can be induced to establish an HTTP/2 connection to infrastructure an attacker controls.
For mixed Windows/Linux operations, inventory needs to extend beyond the Windows software catalog. Container image manifests, WSL package lists, build runners, and developer base images may be the fastest route to finding installed copies of libsoup3.

Red Hat Lists RHEL 10, but the Package Version Is the First Check​

The affected-product data added to the CVE record identifies Red Hat Enterprise Linux 10 and the libsoup3 package as affected. That is a concrete starting point for Red Hat customers, but it should not be interpreted as a complete cross-distribution list.
The disclosed vulnerable upstream range is libsoup 3.0 through 3.7.0. Distribution maintainers frequently backport security fixes without changing a package’s headline upstream version to the first later release, so comparing only the visible version number can create false positives or false negatives. An installed package that appears older may already contain a downstream fix; conversely, a version-range match remains meaningful until the distribution’s advisory or changelog says otherwise.
Red Hat’s advisory workflow is particularly relevant here. The vendor publishes CVE status and, when available, errata describing the specific updated RPMs. At the time reflected by the supplied record, the CVE identifies RHEL 10 as affected but does not include a named RHSA advisory or a fixed package build. That means teams should monitor Red Hat’s CVE and errata channels rather than assume an ordinary package update already resolves the issue.
For administrators who need to triage now, the work is narrow:
  • Identify libsoup3 installations on RHEL 10 systems, container images, and WSL-based development environments.
  • Determine which installed applications actually initiate HTTP/2 connections through libsoup.
  • Prioritize software that can be directed to attacker-controlled URLs, APIs, proxies, or gateways.
  • Apply vendor-provided fixed packages as soon as an applicable erratum is available, rather than replacing packages manually from unrelated repositories.
  • Restrict untrusted egress paths or disable unnecessary HTTP/2 use where an application offers a supported configuration switch and operational impact is acceptable.
The final two steps are mitigations, not substitutes for a correction. Network filtering can reduce opportunities to reach hostile endpoints, but protocol input handling must ultimately be fixed in the library.

“PoC” Is a Signal, Not Confirmation of Active Exploitation​

CISA’s SSVC data attached to the record marks exploitation as “poc,” with partial technical impact and no indicated automation. That designation suggests a proof of concept exists or has been recognized for coordination purposes. It is not the same as evidence of broad exploitation in the wild.
This distinction is especially important for security teams balancing a long list of July advisories. A remotely reachable parsing fault with a public proof of concept deserves attention because reproducing a crash may be easier for an attacker than discovering the underlying bug was. Yet the current record’s high attack-complexity rating, lack of documented code execution, and absence of an automated-exploitation indication point toward targeted remediation and exposure reduction rather than panic-driven disruption.
The unresolved issue is patch availability and distribution coverage. GNOME’s libsoup tracker is referenced from the CVE, while Red Hat remains the CNA and the only vendor explicitly listed in the affected-product data supplied so far. Until upstream and downstream maintainers publish fixed versions and package advisories, the most defensible action is to find real libsoup 3.x HTTP/2 exposure, protect high-risk outbound clients, and watch the relevant distribution channels for the exact corrected builds.

References​

  1. Primary source: NVD
    Published: 2026-07-17T01:01:51-07:00
  2. Security advisory: MSRC
    Published: 2026-07-17T01:01:51-07:00
    Original feed URL
 

Back
Top