Skip to content

[AutoPR- Security] Patch libsoup for CVE-2026-0716 [MEDIUM] #15878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
+107 −1
Open

[AutoPR- Security] Patch libsoup for CVE-2026-0716 [MEDIUM] #15878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 102 additions & 0 deletions SPECS/libsoup/CVE-2026-0716.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
From cdb82443caf077486dfefa7db3057bd571e392c6 Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Mon, 2 Feb 2026 10:46:00 -0600
Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame

If the maximum incoming payload size is unset, then a malicious frame could
cause an overflow when calculating the needed amount of data, leading to an
out-of-bounds read later.

This is CVE-2026-0716.

Closes #476

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494.patch
---
libsoup/websocket/soup-websocket-connection.c | 6 +++
tests/websocket-test.c | 44 +++++++++++++++++++
2 files changed, 50 insertions(+)

diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index a185b5f..066720e 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -1115,6 +1115,12 @@ process_frame (SoupWebsocketConnection *self)
payload += 4;
at += 4;

+ /* at has a maximum value of 10 + 4 = 14 */
+ if (payload_len > G_MAXSIZE - 14) {
+ bad_data_error_and_close (self);
+ return FALSE;
+ }
+
if (len < at + payload_len)
return FALSE; /* need more data */

diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 2dcbcb3..62a6850 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -2244,6 +2244,41 @@ test_connection_error (void)
soup_test_session_abort_unref (session);
}

+static void
+test_cve_2026_0716 (Test *test,
+ gconstpointer unused)
+{
+ GError *error = NULL;
+ GIOStream *io;
+ gsize written;
+ const char *frame;
+ gboolean close_event = FALSE;
+
+ g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
+ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
+ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
+
+ io = soup_websocket_connection_get_io_stream (test->client);
+
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
+
+ // Malicious masked frame header (10-byte header + 4-byte mask) */
+ frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
+ if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
+ frame, 14, &written, NULL, NULL))
+ g_assert_cmpstr ("This code", ==, "should not be reached");
+ g_assert_cmpuint (written, ==, 14);
+
+ WAIT_UNTIL (error != NULL);
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+ g_clear_error (&error);
+
+ WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+ g_assert_true (close_event);
+
+ g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+}
+
int
main (int argc,
char *argv[])
@@ -2521,6 +2556,15 @@ main (int argc,

g_test_add_func ("/websocket/soup/connection-error", test_connection_error);

+ g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
+ setup_direct_connection,
+ test_cve_2026_0716,
+ teardown_direct_connection);
+ g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
+ setup_soup_connection,
+ test_cve_2026_0716,
+ teardown_soup_connection);
+
ret = g_test_run ();

test_cleanup ();
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/libsoup/libsoup.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
Summary: libsoup HTTP client/server library
Name: libsoup
Version: 3.4.4
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -74,6 +74,7 @@ Patch24: CVE-2026-1467.patch
Patch25: CVE-2026-1536.patch
Patch26: CVE-2026-1761.patch
Patch27: CVE-2026-1801.patch
Patch28: CVE-2026-0716.patch

%description
libsoup is HTTP client/server library for GNOME
Expand Down Expand Up @@ -141,6 +142,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
%defattr(-,root,root)

%changelog
* Tue Feb 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-13
- Patch for CVE-2026-0716

* Mon Feb 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-12
- Patch for CVE-2026-1801, CVE-2026-1761, CVE-2026-1536, CVE-2025-32049, CVE-2026-1467

Expand Down
Loading