CVE-2026-0716

Publication date 13 January 2026

Last updated 14 January 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

4.8 · Medium

Score breakdown

Description

A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.

Read the notes from the security team

Status

Package Ubuntu Release Status
libsoup2.4 25.10 questing
Vulnerable, fix deferred
25.04 plucky Ignored end of life, was deferred [2026-01-13]
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
16.04 LTS xenial
Vulnerable, fix deferred
libsoup3 25.10 questing
Vulnerable, fix deferred
25.04 plucky Ignored end of life, was deferred [2026-01-13]
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred

Notes

hlibk

As of 2026-01-13, the upstream PR fixing this issue has not yet been merged.

Severity score breakdown

Parameter Value
Base score 4.8 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

References

Other references