CVE-2025-46420
📋 TL;DR
A memory leak vulnerability in libsoup's soup_header_parse_quality_list() function allows attackers to cause denial of service by sending specially crafted HTTP requests containing quality lists with all-zero elements. This affects applications using vulnerable versions of libsoup for HTTP communication.
💻 Affected Systems
- libsoup
- applications using libsoup for HTTP communication
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to memory exhaustion, causing application crashes or system instability through denial of service.
Likely Case
Memory consumption increases over time under attack, potentially degrading application performance until restart is required.
If Mitigated
With proper monitoring and resource limits, impact is limited to temporary performance degradation before detection and remediation.
🎯 Exploit Status
Exploitation requires sending HTTP requests to applications using vulnerable libsoup versions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions (RHSA-2025:4439, RHSA-2025:4440, etc.)
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:4439
Restart Required: Yes
Instructions:
1. Update libsoup package using system package manager. 2. For Red Hat systems: 'yum update libsoup'. 3. Restart affected applications/services using libsoup.
🔧 Temporary Workarounds
Rate limiting
allImplement HTTP request rate limiting to reduce impact of DoS attempts
Memory monitoring
linuxMonitor memory usage of applications using libsoup and restart if abnormal growth detected
🧯 If You Can't Patch
- Implement network filtering to block suspicious HTTP requests containing quality headers with all-zero values
- Deploy reverse proxies with request sanitization to strip or normalize problematic quality headers
🔍 How to Verify
Check if Vulnerable:
Check libsoup version: 'rpm -q libsoup' (RHEL) or 'dpkg -l libsoup*' (Debian/Ubuntu) and compare against patched versions in advisories.Check Version:
rpm -q libsoup || dpkg -l libsoup*Verify Fix Applied:
Verify updated version: 'rpm -q libsoup' should show patched version. Test with crafted requests to ensure no memory growth.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption patterns in application logs
- Application crashes or restarts related to memory exhaustion
Network Indicators:
- HTTP requests containing quality headers (Accept, Accept-Encoding) with unusual values
- Repeated requests from single sources
SIEM Query:
source=application_logs memory_usage>threshold OR process_restart🔗 References
- https://access.redhat.com/errata/RHSA-2025:4439
- https://access.redhat.com/errata/RHSA-2025:4440
- https://access.redhat.com/errata/RHSA-2025:4508
- https://access.redhat.com/errata/RHSA-2025:4538
- https://access.redhat.com/errata/RHSA-2025:4560
- https://access.redhat.com/errata/RHSA-2025:4568
- https://access.redhat.com/errata/RHSA-2025:4609
- https://access.redhat.com/errata/RHSA-2025:4624
- https://access.redhat.com/errata/RHSA-2025:7436
- https://access.redhat.com/security/cve/CVE-2025-46420
- https://bugzilla.redhat.com/show_bug.cgi?id=2361963
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/438
