Home

Description

A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.

PUBLISHED Reserved 2026-07-14 | Published 2026-07-14 | Updated 2026-07-14 | Assigner redhat




MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Missing Release of Resource after Effective Lifetime

Product status

Default status
affected

Default status
unknown

Default status
unknown

Default status
affected

Default status
affected

Timeline

2026-07-14:Reported to Red Hat.
2026-07-14:Made public.

Credits

Red Hat would like to thank cavid for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-15713 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2499941 (RHBZ#2499941) issue-tracking

gitlab.gnome.org/GNOME/libsoup/-/work_items/541

cve.org (CVE-2026-15713)

nvd.nist.gov (CVE-2026-15713)

Download JSON