PatchSiren cyber security CVE debrief
CVE-2026-12478 Red Hat CVE debrief
CVE-2026-12478 is a medium-severity vulnerability in libsoup, a popular open-source HTTP client library. The fix for CVE-2026-0716 introduced an integer overflow guard, but it was placed inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Developers and administrators using libsoup in their applications, especially those handling WebSocket connections, should be aware of this vulnerability. Red Hat users may be affected, as indicated by the presence of a Red Hat security advisory.
Technical summary
The vulnerability arises from the incomplete fix for CVE-2026-0716 in libsoup 3.6.6. The integer overflow guard was added inside the if (masked) block, which means unmasked frames are not protected. An attacker can exploit this by sending a specially crafted unmasked WebSocket frame with a large payload length, potentially causing an out-of-bounds read in libsoup-based clients when max_incoming_payload_size is set to 0.
Defensive priority
Medium priority should be given to updating libsoup to a version that correctly addresses this issue, as it could lead to information disclosure or crashes in affected applications.
Recommended defensive actions
- Update libsoup to the latest version that includes the correct fix for CVE-2026-12478
- Review and adjust WebSocket connection handling in applications using libsoup
- Monitor for any suspicious WebSocket traffic that could be related to this vulnerability
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further investigation is needed to fully understand the impact and affected scope. The presence of a Red Hat security advisory suggests that Red Hat users may be affected.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T10:16:30.957Z and has not been modified since then.