SB2026021163 - SUSE update for libsoup2
Published: February 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-14523)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. libsoup accepts duplicate Host: headers and implements a last-value-wins policy when soup_message_headers_get_one[_common] is used to construct the request URI, while many proxies and routers use the first Host: header for routing. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
2) Stack-based buffer overflow (CVE-ID: CVE-2026-0719)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the md4sum() function of libsoup’s NTLM authentication module (SoupAuthNTLM) when handling NTLM authentication requests. A remote attacker can send specially crafted input to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.