Out-of-Bounds Read Vulnerability in Libsoup's Multipart Processing by GNOME
CVE-2026-15714
What is CVE-2026-15714?
An out-of-bounds read vulnerability has been identified in libsoup's multipart processing subsystem. Specifically, the issue arises within the soup_multipart_input_stream_read_headers() function located in soup-multipart-input-stream.c. This flaw occurs due to insufficient restrictions on the size of incoming multipart boundary strings. When handling a specially crafted HTTP response with an improperly formatted or excessively large boundary parameter, the internal stream reader may read beyond the allocated buffer limits. This could enable a remote, unauthenticated attacker to exploit the vulnerability, potentially leading to service denial (DoS) by causing application failures or gaining access to fragments of unauthorized memory metadata.
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved