Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20205-1 Final 1 1 2026-01-30T14:27:53Z current 2026-01-30T14:27:53Z 2026-01-30T14:27:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2025-11021: Fixed out-of-bounds read in Cookie Date Handling of libsoup HTTP Library (bsc#1250562). - CVE-2026-0719: Fixed stack-based buffer overflow in NTLM authentication can lead to arbitrary code execution (bsc#1256399). - CVE-2026-0716: Fixed improper bounds handling may allow out-of-bounds read (bsc#1256418). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SL-Micro-6.2-227 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620205-1/ Link for SUSE-SU-2026:20205-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024054.html E-Mail link for SUSE-SU-2026:20205-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1250562 SUSE Bug 1250562 https://bugzilla.suse.com/1256399 SUSE Bug 1256399 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 https://www.suse.com/security/cve/CVE-2025-11021/ SUSE CVE CVE-2025-11021 page https://www.suse.com/security/cve/CVE-2026-0716/ SUSE CVE CVE-2026-0716 page https://www.suse.com/security/cve/CVE-2026-0719/ SUSE CVE CVE-2026-0719 page SUSE Linux Micro 6.2 libsoup-3_0-0-3.6.5-160000.3.1 libsoup-3_0-0-3.6.5-160000.3.1 as a component of SUSE Linux Micro 6.2 A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup. CVE-2025-11021 SUSE Linux Micro 6.2:libsoup-3_0-0-3.6.5-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620205-1/ https://www.suse.com/security/cve/CVE-2025-11021.html CVE-2025-11021 https://bugzilla.suse.com/1250562 SUSE Bug 1250562 A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. CVE-2026-0716 SUSE Linux Micro 6.2:libsoup-3_0-0-3.6.5-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620205-1/ https://www.suse.com/security/cve/CVE-2026-0716.html CVE-2026-0716 https://bugzilla.suse.com/1256418 SUSE Bug 1256418 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. CVE-2026-0719 SUSE Linux Micro 6.2:libsoup-3_0-0-3.6.5-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620205-1/ https://www.suse.com/security/cve/CVE-2026-0719.html CVE-2026-0719 https://bugzilla.suse.com/1256399 SUSE Bug 1256399