Malformed HTTP Responses in GNOME's Libsoup due to Range Request Vulnerability
CVE-2026-12549

4.8MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
22 June 2026

What is CVE-2026-12549?

A vulnerability in GNOME's Libsoup arises from an issue with handling Range requests. Specifically, when a client sends a Range request with a suffix length that surpasses the actual content size, the absence of appropriate overflow checks leads to a negative start value. This results in malformed HTTP 206 responses and can cause excessive logging, potentially affecting server performance. Proper implementation of input validation is essential to mitigate this issue.

References

https://access.redhat.com/security/cve/CVE-2026-12549
vdb-entryx_refsource_REDHAT
https://access.redhat.com/security/cve/cve-2026-0716
technical-descriptionx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2489999
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.