CVE-2026-2436
Publication date 26 March 2026
Last updated 7 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libsoup2.4 | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| libsoup3 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
Notes
vyomydv
libsoup2.4 not-affected: The vulnerable file (libsoup/server/soup-server-connection.c) is libsoup3-only. In libsoup2.4, server-side TLS is set up via soup_socket_setup_ssl() which creates a GTlsServerConnection but never calls g_tls_connection_handshake_async(), the handshake is implicit during stream reads. The only caller of handshake_async is soup_socket_handshake_async(), used exclusively on the client side (soup-connection.c).
Severity score breakdown
CVSS version: CVSS v3.0
Base score
6.5 · Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H