Libsoup: incomplete fix for CVE-2026-0716: out-of-bounds read in libsoup websocket frame processing (unmasked path)
Summary
The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0. This vulnerability is rated Moderate for Red Hat because it requires a non-default configuration where max_incoming_payload_size is explicitly set to 0 or unset in libsoup's WebSocket frame processing. In typical Red Hat deployments, this configuration is not enabled by default, limiting the exposure to memory disclosure or application instability. Red Hat severity: Moderate — CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). Weakness: CWE-125: Out-of-bounds Read. Affected product named by the advisory: Red Hat Enterprise Linux 10.
Mitigation checklist
- To mitigate this issue, applications utilizing libsoup's WebSocket support should ensure that the `max_incoming_payload_size` is explicitly set to a non-zero value. This prevents the library from processing WebSocket frames with an unset or zero maximum payload size, which can lead to out-of-bounds reads. Consult application-specific documentation for configuring libsoup parameters.
Official advisory · high-confidence parse· fetched 3 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.