CVE-2026-0719

08.01.2026, 13:15

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Debian Releases

Debian Product

Codename

libsoup2.4

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
trixie	vulnerable

libsoup3

bookworm	vulnerable
trixie	vulnerable
forky	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-121 - Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

References

https://access.redhat.com/security/cve/CVE-2026-0719

https://bugzilla.redhat.com/show_bug.cgi?id=2427906

https://gitlab.gnome.org/GNOME/libsoup/-/issues/477