CVE-2026-0716 – A buffer read vulnerability in libsoup's WebSoc... (How to Fix)

Q: What is the severity of CVE-2026-0716?

CVE-2026-0716 has a CVSS score of 4.8 (MEDIUM). A buffer read vulnerability in libsoup's WebSocket frame processing allows reading memory outside intended bounds when maximum incoming payload size is unset. This can cause memory exposure or crashes. Applications using libsoup's WebSocket support with non-default configurations are affected.

📋 TL;DR

A buffer read vulnerability in libsoup's WebSocket frame processing allows reading memory outside intended bounds when maximum incoming payload size is unset. This can cause memory exposure or crashes. Applications using libsoup's WebSocket support with non-default configurations are affected.

💻 Affected Systems

Products:

libsoup
Applications using libsoup WebSocket support

Versions: Versions prior to fix (specific version TBD from vendor advisory)

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using non-default configuration with unset maximum incoming payload size for WebSocket connections.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory exposure leading to information disclosure or denial of service through application crashes.

🟠

Likely Case

Application instability or crashes when processing malformed WebSocket frames.

🟢

If Mitigated

No impact if using default configuration or proper payload size limits.

🌐 Internet-Facing: MEDIUM - WebSocket endpoints exposed to untrusted clients could be targeted.

🏢 Internal Only: LOW - Requires specific non-default configuration and WebSocket usage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to send WebSocket frames to vulnerable endpoint with specific configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-0716

Restart Required: Yes

Instructions:

1. Check current libsoup version
2. Apply vendor-provided patches
3. Restart affected applications
4. Verify fix applied

🔧 Temporary Workarounds

Set maximum WebSocket payload size

linux

Configure libsoup to use default or explicit maximum incoming payload size for WebSocket connections

Configure application to set soup_websocket_connection_new_with_protocols() with proper max_incoming_payload_size

🧯 If You Can't Patch

Disable WebSocket functionality in affected applications
Implement network controls to restrict WebSocket traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if application uses libsoup WebSocket with unset max_incoming_payload_size configuration

Check Version:

pkg-config --modversion libsoup-2.4

Verify Fix Applied:

Verify libsoup version is patched and configuration uses proper payload size limits

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
WebSocket connection failures

Network Indicators:

Unusually large WebSocket frames
Malformed WebSocket traffic patterns

SIEM Query:

Search for libsoup-related crashes or WebSocket connection anomalies

📊 Metadata

CVE ID: CVE-2026-0716

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-805

EPSS Score: 0.05% exploit probability (16.3th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0716, you might also want to check these: