CVE-2025-12105: Libsoup HTTP/2 Use-After-Free Remote DoS

A newly recorded vulnerability in the GNOME HTTP library libsoup — tracked as CVE‑2025‑12105 — allows a remote attacker to trigger a heap use‑after‑free during certain HTTP/2 read/cancel sequences, producing a denial‑of‑service condition in any application or service that uses the vulnerable libsoup build.

Background / Overview​

Libsoup is the HTTP client/server library commonly used across GNOME projects and in many applications that rely on WebKit and GNOME HTTP plumbing. The library implements both synchronous and asynchronous APIs and includes HTTP/2 handling code paths that use internal message queues to decouple network I/O from application callbacks. Vendors and distribution security trackers list a specific race condition in that asynchronous queue code as the root cause of this CVE. At a high level the bug is straightforward to describe but subtle to trigger: when an HTTP/2 read operation is completed and then rapidly canceled (or aborted) in particular timing windows, a queue item representing that read completion can be freed more than once due to missing state synchronization. The double‑free leads to a use‑after‑free memory access when code later references the already‑freed item, normally resulting in a crash that can be triggered over the network. Multiple distributors have scored this vulnerability as high‑impact for availability (CVSS v3.1 ≈ 7.5) because the attack is network‑accessible, requires no privileges and can be automated against exposed services.

---

Technical anatomy: what exactly goes wrong​

Asynchronous message queues, HTTP/2, and the race surface​

Libsoup’s HTTP/2 implementation uses asynchronous internal message objects to represent read completions, timeouts and cancellation events. These message objects are enqueued to a dispatch path where worker threads or the main loop pick them up and call into higher‑level handlers.
The vulnerability arises when three conditions align:

• A pending HTTP/2 read completes and a queue item representing that completion is created.
• The remote peer or local logic cancels or aborts the operation almost immediately — before the queued item has been processed.
• The cancel path and the read‑completion path do not fully synchronize ownership and lifecycle changes for the same queue item, allowing both paths to decide they should free the object.

When both code paths free the same heap allocation, a subsequent reference to that memory is a use‑after‑free. In practice the observable effect is a crash or process abort; with carefully crafted sequences it can be repeatedly triggered, making it an effective remote denial‑of‑service vector against services that expose HTTP/2 endpoints and use vulnerable libsoup builds. This precise behavior is described in vendor advisories and package trackers.

Why this is a classic concurrency bug​

This is a textbook asynchronous race: two different state machines (the read completion path and the cancel/abort path) share the same object without a reliable ownership transfer or a canonical state machine that prevents both from freeing the object. Typical mitigations would be reference counting, explicit ownership flags checked under a lock, or queuing semantics that guarantee the consumer is the only free‑owner. The libsoup fix alters the lifecycle handling so that ownership is explicitly synchronized and no path is allowed to free an object that might still be processed by another. Upstream developers merged a corrective change into the project tree (referenced in distributor trackers) to enforce these invariants.

---

Scope and affected software​

What builds and branches are vulnerable​

Multiple distribution trackers indicate the vulnerability affects libsoup3 and certain newer libsoup2.4 builds where the HTTP/2 path was refactored to add the run_until_read_done/async queue behavior. In short:

• libsoup3: widely affected across distributions until patched versions are released.
• libsoup2.4: in many environments not affected (the vulnerable code appeared after divergent refactors), but some packaged builds were audited to confirm status. Administrators must verify their specific package versions.

Distribution patches and status​

Vendors have published patches or packaging updates — the rollout timeline varied by distro:

• Ubuntu issued USN‑7932‑1 and listed patched package versions for supported releases; standard system updates will install the fixes for affected Ubuntu channels.
• Debian tracked the problem, linked to the upstream merge request and commit that remedied the lifecycle handling, and recorded which Debian source packages and releases are fixed or vulnerable.
• SUSE, Red Hat, and other vendors published advisories or entries in their CVE trackers that mirror the technical description and severity scores. Red Hat’s bug database contains the original report and internal tracking.

Because libsoup is commonly embedded into downstream products (desktop apps, small HTTP agents, some IoT or appliance code), the practical impact extends beyond stock distribution packages: any vendor or appliance that bundles its own libsoup may also be affected until the embedded library is rebuilt with the upstream fix.

---

Exploitability and practical risk​

• Attack vector: Network. The vulnerability can be triggered remotely by sending crafted HTTP/2 traffic that deliberately exercises read/abort timing windows. Distributors have assigned a CVSS v3.1 base vector indicating network attack vector with low complexity and high availability impact.
• Impact: Denial of Service (crash of process/service). Publicly available advisories and trackers emphasize that there’s no public evidence of code execution from this flaw; the primary impact is availability. However, memory corruption bugs can sometimes be leveraged in advanced scenarios to escalate to more than DoS; organizations should treat such possibilities with caution.
• Real‑world exploitation: as of the latest vendor entries and vulnerability feeds, there is no broadly publicized proof‑of‑concept or mass exploitation in the wild. The absence of public exploit chatter does not mean attackers won’t or cannot weaponize the issue; the attack primitive (remote, low complexity) makes rapid abuse plausible.

---

Upstream response and the patch​

Upstream maintainers implemented a lifecycle synchronization fix and merged it into the project repository; distribution maintainers built packages based on that change and released security updates. The Debian package tracker explicitly references the merge request and commit that implement the fix — the commit ensures that queue items are not freed by multiple code paths and that cancellation and completion paths agree on object ownership before freeing. Administrators should confirm their platforms are using a libsoup build that contains the corrective commit. Snyk and other vulnerability databases reported the upstream fix appeared on the project’s master branch before the packages were widely published, which is why distributions had to coordinate rebuilds and backports for stable releases. If you manage vendor appliances or third‑party products, ask those vendors for a timeline to deliver binaries rebuilt with the patched libsoup.

---

Detection, logging and incident response guidance​

This vulnerability is primarily a stability/availability risk, so detection focuses on operational signals rather than a reliable network signature.

• Watch for sudden process crashes or repeated core dumps from services that use libsoup (web frontends, proxies with embedded GNOME agents, WebKit‑based services).
• Correlate spikes in 5xx errors or process restarts with HTTP/2 traffic patterns and connection metadata.
• Capture pcap traces for sessions surrounding observed crashes; look for abnormal HTTP/2 streams that perform rapid read and reset/cancel patterns.
• Use application‑level logging to record the presence of HTTP/2 stream resets (RST_STREAM) or abrupt GOAWAY frames near the time of incidents, and correlate with crashed process timelines.
• In containerized environments, collect core dumps and stack traces from container logs and perform symbolized analysis against the exact libsoup binary shipping in your container image.

Because the bug is timing‑based, CPU or memory metrics may not show a clear lead‑in; focus on crash traces, stack backtraces and the presence of repeated read/cancel sequences in network captures for reliable triage. Open‑source trackers also suggest hunting for instances of vulnerable libsoup packages in inventories (package manager queries, binary analysis).

---

Immediate mitigation and prioritization checklist​

1. Patch first: apply vendor patches for libsoup or update the system packages to the patched versions listed by your distribution. This is the single most effective step. Ubuntu’s USN lists the patched libsoup3 package versions for affected releases; Debian and others provide fixed package versions too.
2. Inventory: find all systems running libsoup (both libsoup2.4 and libsoup3 packages, and any statically vendored copies bundled into applications). Package queries, SCA tooling and binary scanning help find embedded copies that package managers won’t list.
3. Compensating controls (if patching is not immediately possible):
   • Consider temporarily disabling HTTP/2 at the edge (on load balancers or reverse proxies) for the most exposed services, or block direct HTTP/2 access from untrusted networks, until you can deploy a fix.
   • Normalization at the edge is less directly helpful here than for header parsing bugs, but reducing the window of exposure for timing attacks (rate‑limiting, connection reset heuristics) can make reliable exploitation harder.
   • Use WAF/IDS rules to detect and throttled anomalies in HTTP/2 stream behavior (unusually frequent stream resets or short read/cancel cycles).
   • For internal services, restrict access with network ACLs or mutual TLS so only trusted peers can reach affected endpoints.
4. Rebuild vendored binaries: if you ship a product that bundles libsoup, rebuild it against the patched upstream and re‑release; packaging fixes do not protect static or embedded copies.
5. Test in staging: validate patched binaries in a test environment that simulates HTTP/2 edge behavior and the real-world load patterns of your application before deploying widely.

Distributors’ advisories make patching the first priority; compensating controls are stopgaps only. OpenCVE and other trackers note that in some contexts no easy mitigation applies other than updating the library, so patch scheduling should be prioritized for externally reachable services.

---

How to validate a fix and what to test​

• Verify package versions: after updating, confirm the libsoup package version matches your distro’s security advisory. Use package manager commands (apt/dnf/zypper) to list installed versions and compare against vendor advisory ranges.
• Reproduce retry/cancel sequences in a controlled lab: use HTTP/2 test tools (h2load, nghttp2-based clients, or custom test harnesses) to generate rapid read-and-reset patterns aimed at the service. Testing must be done in an isolated environment to avoid accidental DoS.
• Collect and verify core dumps: before patching, capture a core from a reproducible crash and after patching confirm that the same script no longer causes the process to crash. That proves the fix works for your configuration.
• Examine changelogs: distribution package changelogs and upstream merge request notes (when accessible) should mention the CVE identifier and the commit that corrected the ownership/lifecycle handling. Debian’s tracking and vendor changelogs explicitly reference the upstream commit and MR that implemented the fix.

---

Broader implications and risk analysis​

This CVE underscores several important, recurring realities for modern networked systems:

• Libraries that mediate network protocols (HTTP/2 included) are high‑value targets because they sit on the exposure boundary. A memory‑safety defect can convert into widespread service outages.
• Asynchronous and multi‑threaded code introduces subtle lifecycle and ownership responsibilities. Even mature libraries can accumulate brittle handling in rare timing windows.
• The supply chain angle matters: many products embed system libraries or vendor a specific runtime. If an embedded libsoup is not updated by the vendor or rebuilt by downstream packagers, the risk persists despite distribution patches. Administrators must include third‑party appliances and vendor‑supplied agents in their inventory and ask for explicit patch timelines.
• The immediate risk here is availability. While the public advisories do not describe unauthenticated code execution, availability attacks can still have high business impact (web frontends, API endpoints or desktop agents can be taken offline or destabilized at scale).

---

Developer and maintainer guidance​

For engineers and maintainers who write networked code or ship binaries that embed libsoup:

• Adopt robust ownership models for asynchronous objects: prefer reference counting or explicit ownership handoffs guarded by synchronization primitives rather than ad‑hoc frees in multiple code paths.
• Add unit tests and deterministic concurrency tests that exercise cancel/abort sequences for asynchronous reads. This class of test often catches UAF-style races that only appear under certain interleavings.
• Use memory sanitizers (AddressSanitizer, Valgrind) during development and continuous integration to catch use‑after‑free and double‑free conditions before release.
• For maintainers of downstream distributions or appliances: ensure that security advisories are tracked and that consumers of the product are informed about update timelines; include explicit CVE identifiers in changelogs so operators can trace fixes reliably. Debian’s bug tracker demonstrates the value of linking to the upstream MR and commit in the changelog and BTS.

---

Practical checklist for system administrators (quick action list)​

1. Inventory: run package queries and SCA tools to find libsoup instances and embedded copies.
2. Patch: install the updated libsoup packages from your vendor or distribution. Confirm versions match advisory recommendations.
3. If patching is delayed: consider disabling HTTP/2 at the edge, apply rate limits and tighten network ACLs to reduce exposure.
4. Monitor: enable crash reporting and collect core dumps for any unexpected restarts. Capture HTTP/2 traces around incidents.
5. Vendor coordination: ask third‑party suppliers whether they bundle libsoup and when they plan to ship rebuilt binaries.

---

Final assessment​

CVE‑2025‑12105 is a high‑priority availability vulnerability in a widely used HTTP library. The defect is not a theoretical parsing quirk: it is an actionable, remote triggerable use‑after‑free that can crash applications and network services that rely on libsoup’s HTTP/2 stack. Distributors have published patches, and upstream merged a fix to synchronize message item lifecycles in the queueing logic; administrators and vendors should treat this as urgent for externally exposed services and for any product that embeds libsoup. Confirm patched package versions in your environment, rebuild vendor binaries where necessary, and apply compensating controls where immediate patch rollout is impractical. Caveat: public trackers and vendor pages list the vulnerability, the technical root cause, and the vendor patch status; they do not report widespread exploitation at time of their latest updates. That absence should not be interpreted as long‑term safety — memory corruption bugs with network reachability are attractive targets and may be probed or weaponized rapidly if not patched. Remediation via updated libsoup builds is the reliable, final mitigation.

---

---

Source: MSRC Security Update Guide - Microsoft Security Response Center