An update for libsoup3 is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2698 Final 1.0 1.0 2026-06-24 Initial 2026-06-24 2026-06-24 openEuler SA Tool V1.0 2026-06-24 libsoup3 security update An update for libsoup3 is now available for openEuler-24.03-LTS-SP1 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fix(es): A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).(CVE-2025-32908) A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.(CVE-2026-0719) A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.(CVE-2026-1761) A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.(CVE-2026-1801) A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.(CVE-2026-2443) A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).(CVE-2026-4271) An update for libsoup3 is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High libsoup3 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-32908 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0719 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1761 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1801 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-2443 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-4271 https://nvd.nist.gov/vuln/detail/CVE-2025-32908 https://nvd.nist.gov/vuln/detail/CVE-2026-0719 https://nvd.nist.gov/vuln/detail/CVE-2026-1761 https://nvd.nist.gov/vuln/detail/CVE-2026-1801 https://nvd.nist.gov/vuln/detail/CVE-2026-2443 https://nvd.nist.gov/vuln/detail/CVE-2026-4271 openEuler-24.03-LTS-SP1 libsoup3-3.4.5-20.oe2403sp1.aarch64.rpm libsoup3-debuginfo-3.4.5-20.oe2403sp1.aarch64.rpm libsoup3-debugsource-3.4.5-20.oe2403sp1.aarch64.rpm libsoup3-devel-3.4.5-20.oe2403sp1.aarch64.rpm libsoup3-3.4.5-20.oe2403sp1.src.rpm libsoup3-3.4.5-20.oe2403sp1.x86_64.rpm libsoup3-debuginfo-3.4.5-20.oe2403sp1.x86_64.rpm libsoup3-debugsource-3.4.5-20.oe2403sp1.x86_64.rpm libsoup3-devel-3.4.5-20.oe2403sp1.x86_64.rpm libsoup3-help-3.4.5-20.oe2403sp1.noarch.rpm A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS). 2026-06-24 CVE-2025-32908 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. 2026-06-24 CVE-2026-0719 openEuler-24.03-LTS-SP1 High 8.6 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. 2026-06-24 CVE-2026-1761 openEuler-24.03-LTS-SP1 High 8.6 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. 2026-06-24 CVE-2026-1801 openEuler-24.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component. 2026-06-24 CVE-2026-2443 openEuler-24.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698 A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS). 2026-06-24 CVE-2026-4271 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H libsoup3 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2698