Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-2443
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
Libsoup: out-of-bounds read in libsoup handle_partial_get() leading to heap information disclosure
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
References
Affected products
libsoup
libsoup3
Matching in nixpkgs
pkgs.libsoup_3
HTTP client/server library for GNOME
pkgs.libsoup_2_4
HTTP client/server library for GNOME
pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22
Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
Package maintainers
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>
-
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
-
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
-
@lovek323 Jason O'Conal <jason@oconal.id.au>