Libsoup: soupcache: libsoup: http/2 frame window exhaustion remote denial of service via memory leak
Summary
A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash. Affected products named by the advisory: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9.
What this means
In plain English
The HTTP/2 implementation can fail to release memory when streams end under conditions such as window exhaustion or explicit resets. A remote, unauthenticated attacker acting as a malicious network peer can repeatedly trigger leaked stream state, gradually consuming heap memory and eventually causing an out-of-memory application crash. The advisory reports no known exploitation.
Recommended action
The vendor has not specified a fixed release, mitigation, or workaround. Follow the official advisory for remediation guidance.
Written by AI strictly from the parsed advisory data above — versions, scores and dates are never AI-generated. The vendor advisory is authoritative.
Affected versions
No affected-version range was extracted from the source record. The vendor advisory is authoritative — check it before change work.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
No fixed release is recorded yet. That does not prove no patch exists — confirm against the vendor advisory.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation
The source record does not include mitigation steps. That is not a statement that no fix exists — read the vendor advisory below for the authoritative guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.