CVE-2026-12478 PUBLISHED

Libsoup: incomplete fix for cve-2026-0716: out-of-bounds read in libsoup websocket frame processing (unmasked path)

Assigner: redhat
Reserved: 16.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CVSS Score: 4.8

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected

Workarounds

To mitigate this issue, applications utilizing libsoup's WebSocket support should ensure that the max_incoming_payload_size is explicitly set to a non-zero value. This prevents the library from processing WebSocket frames with an unset or zero maximum payload size, which can lead to out-of-bounds reads. Consult application-specific documentation for configuring libsoup parameters.

Credits

  • Red Hat would like to thank Adel Bouachraoui and Gerard Capdevila for reporting this issue.

References

Problem Types

  • Out-of-bounds Read CWE