Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0017-1 Final 1 1 2026-01-05T10:52:01Z current 2026-01-05T10:52:01Z 2026-01-05T10:52:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion (bsc#1252555) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-17,SUSE-SLE-Module-Basesystem-15-SP7-2026-17,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-17,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-17,openSUSE-SLE-15.6-2026-17 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260017-1/ Link for SUSE-SU-2026:0017-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023671.html E-Mail link for SUSE-SU-2026:0017-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1252555 SUSE Bug 1252555 https://www.suse.com/security/cve/CVE-2025-12105/ SUSE CVE CVE-2025-12105 page SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP6-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP6 openSUSE Leap 15.6 libsoup-3_0-0-3.4.4-150600.3.21.1 libsoup-3_0-0-32bit-3.4.4-150600.3.21.1 libsoup-3_0-0-64bit-3.4.4-150600.3.21.1 libsoup-devel-3.4.4-150600.3.21.1 libsoup-devel-32bit-3.4.4-150600.3.21.1 libsoup-devel-64bit-3.4.4-150600.3.21.1 libsoup-lang-3.4.4-150600.3.21.1 typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 libsoup-3_0-0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup-devel-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup-lang-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup-3_0-0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup-devel-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup-lang-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup-3_0-0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup-devel-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup-lang-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup-3_0-0-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 libsoup-3_0-0-32bit-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 libsoup-devel-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 libsoup-devel-32bit-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 libsoup-lang-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 as a component of openSUSE Leap 15.6 A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition. CVE-2025-12105 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup-3_0-0-3.4.4-150600.3.21.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup-devel-3.4.4-150600.3.21.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup-lang-3.4.4-150600.3.21.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup-3_0-0-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup-devel-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup-lang-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server 15 SP6-LTSS:typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup-3_0-0-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup-devel-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup-lang-3.4.4-150600.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 openSUSE Leap 15.6:libsoup-3_0-0-3.4.4-150600.3.21.1 openSUSE Leap 15.6:libsoup-3_0-0-32bit-3.4.4-150600.3.21.1 openSUSE Leap 15.6:libsoup-devel-3.4.4-150600.3.21.1 openSUSE Leap 15.6:libsoup-devel-32bit-3.4.4-150600.3.21.1 openSUSE Leap 15.6:libsoup-lang-3.4.4-150600.3.21.1 openSUSE Leap 15.6:typelib-1_0-Soup-3_0-3.4.4-150600.3.21.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260017-1/ https://www.suse.com/security/cve/CVE-2025-12105.html CVE-2025-12105 https://bugzilla.suse.com/1252555 SUSE Bug 1252555