Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Update Needed for libsoup2 to Prevent Web Server Attacks
SUSE-SU-2026:0834-1
Summary
This update addresses multiple security issues in libsoup2, a library used by many web servers and applications. If not updated, these issues could allow attackers to crash the server, steal sensitive information, or make the server unavailable. To protect your system, apply the latest update for libsoup2 as soon as possible.
What to do
- Update libsoup2 to version 2.74.2-150400.3.31.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
| – | libsoup2 | <= 2.74.2-150400.3.31.1 | 2.74.2-150400.3.31.1 |
Original title
Security update for libsoup2
Original description
This update for libsoup2 fixes the following issues:
- CVE-2025-32049: denial of service attack to websocket server (bsc#1240751).
- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects
(bsc#1257441).
- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request
smuggling and potential DoS (bsc#1257597).
- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information
disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
- CVE-2025-32049: denial of service attack to websocket server (bsc#1240751).
- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects
(bsc#1257441).
- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request
smuggling and potential DoS (bsc#1257597).
- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information
disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
- https://www.suse.com/support/update/announcement/2026/suse-su-20260834-1/ Vendor Advisory
- https://bugzilla.suse.com/1240751 Third Party Advisory
- https://bugzilla.suse.com/1257398 Third Party Advisory
- https://bugzilla.suse.com/1257441 Third Party Advisory
- https://bugzilla.suse.com/1257597 Third Party Advisory
- https://bugzilla.suse.com/1258120 Third Party Advisory
- https://bugzilla.suse.com/1258170 Third Party Advisory
- https://bugzilla.suse.com/1258508 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-32049 URL
- https://www.suse.com/security/cve/CVE-2026-1467 URL
- https://www.suse.com/security/cve/CVE-2026-1539 URL
- https://www.suse.com/security/cve/CVE-2026-1760 URL
- https://www.suse.com/security/cve/CVE-2026-2369 URL
- https://www.suse.com/security/cve/CVE-2026-2443 URL
- https://www.suse.com/security/cve/CVE-2026-2708 URL
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026