Home

Description

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS).

PUBLISHED Reserved 2026-07-14 | Published 2026-07-14 | Updated 2026-07-14 | Assigner redhat




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Improper Handling of Highly Compressed Data (Data Amplification)

Product status

Default status
affected

Default status
unknown

Default status
unknown

Default status
affected

Default status
affected

Timeline

2026-07-14:Reported to Red Hat.
2026-07-14:Made public.

Credits

Red Hat would like to thank Tristan Madani for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-15709 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2499922 (RHBZ#2499922) issue-tracking

gitlab.gnome.org/GNOME/libsoup/-/issues/511

cve.org (CVE-2026-15709)

nvd.nist.gov (CVE-2026-15709)

Download JSON