ISN 2025-18: Critical Libsoup Vulnerability

First published 26 May 2025

CVSS 3.1: 9.0 (Critical)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

Security vulnerabilities have been discovered in libsoup, an HTTP client/server library used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

Several security issues have been found in libsoup. CVE-2025-32911 is rated critical and concerns a use-after-free vulnerability in the treatment of HTTP headers that a remote attacker could use to cause memory corruption in the HTTP server.

Issues CVE-2025-32906 and CVE-2025-32914 are rated high and describe out-of-bounds reads that could crash the HTTP server. A libsoup client or server could also be crashed by a NULL pointer dereference (CVE-2025-32913, high).

Update Instructions

• OS 12: Update to OS 12.7.0 when available (planned for 4 June).

• OS 11: Update to OS 11.10.310 when available (planned for 4 June).

References

• CVE-2025-32911: https://www.cve.org/CVERecord?id=CVE-2025-32911

• CVE-2025-32906: https://www.cve.org/CVERecord?id=CVE-2025-32906

• CVE-2025-32914: https://www.cve.org/CVERecord?id=CVE-2025-32914

• CVE-2025-32913: https://www.cve.org/CVERecord?id=CVE-2025-32913