{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-2708", "tracking": { "current_release_date": "2026-03-25T22:19:35.854165Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-2708", "initial_release_date": "2026-02-20T00:27:45.247239Z", "revision_history": [ { "date": "2026-02-20T00:27:45.247239Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (10).| Product Identifiers created (5).| References created (2).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-02-20T00:27:55.544772Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-20T12:43:17.120315Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Products connected (3)." }, { "date": "2026-02-20T12:43:25.888006Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-05T00:45:49.773194Z", "number": "5", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products connected (1).| References created (11)." }, { "date": "2026-03-07T18:45:36.920373Z", "number": "6", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products connected (11).| References created (15)." }, { "date": "2026-03-25T18:45:39.575601Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (1).| References created (19)." }, { "date": "2026-03-25T18:45:42.906852Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-25T22:18:38.556700Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (4).| References created (9)." }, { "date": "2026-03-25T22:18:41.090678Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (8).| References created (9)." }, { "date": "2026-03-25T22:19:32.745127Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (4).| References created (9)." }, { "date": "2026-03-25T22:19:34.933421Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (1).| References created (9)." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/6", "product": { "name": "vers:rpm/6", "product_id": "CSAFPID-1439321", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:6" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439315", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2618547" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2618548" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2618549" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2618550" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2965651" } } ], "category": "product_name", "name": "libsoup3" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910546" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770091" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910547" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770092" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910548" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770093" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910549" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770094" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.68.4-150200.4.30.1", "product": { "name": "vers:unknown/>=0|<2.68.4-150200.4.30.1", "product_id": "CSAFPID-5910662" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Micro 5.2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product": { "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product_id": "CSAFPID-5910542" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product": { "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product_id": "CSAFPID-5910658" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Module for Basesystem 15 SP7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910550" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770095" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server 15 SP4-LTSS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910551" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770096" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server 15 SP5-LTSS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product": { "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product_id": "CSAFPID-5910543" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product": { "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product_id": "CSAFPID-5910659" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server 15 SP6-LTSS" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910552" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770097" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server for SAP Applications 15 SP4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product": { "name": "vers:unknown/>=0|<3.0.4-150400.3.34.1", "product_id": "CSAFPID-5910553" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770098" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server for SAP Applications 15 SP5" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product": { "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product_id": "CSAFPID-5910544" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product": { "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product_id": "CSAFPID-5910660" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Server for SAP Applications 15 SP6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.4.2-13.1", "product": { "name": "vers:unknown/>=0|<3.4.2-13.1", "product_id": "CSAFPID-5760588" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "SUSE:Linux Micro 6.0" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.6.6-160000.1.1", "product": { "name": "vers:unknown/>=0|<3.6.6-160000.1.1", "product_id": "CSAFPID-5908632" } } ], "category": "product_name", "name": "libsoup" } ], "category": "product_family", "name": "SUSE:Linux Micro 6.2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product": { "name": "vers:unknown/>=0|<3.4.4-150600.3.34.1", "product_id": "CSAFPID-5910545" } } ], "category": "product_name", "name": "libsoup" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product": { "name": "vers:unknown/>=0|<2.74.3-150600.4.27.1", "product_id": "CSAFPID-5910661" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "openSUSE:Leap 15.6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770088" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Micro 5.3" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770089" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Micro 5.4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product": { "name": "vers:unknown/>=0|<2.74.2-150400.3.31.1", "product_id": "CSAFPID-5770090" } } ], "category": "product_name", "name": "libsoup2" } ], "category": "product_family", "name": "SUSE:Linux Enterprise Micro 5.5" } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2617521" } } ], "category": "product_name", "name": "libsoup2.4" }, { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2563067" } } ], "category": "product_name", "name": "libsoup3" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2617522" } } ], "category": "product_name", "name": "libsoup2.4" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-2708", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" }, "notes": [ { "category": "description", "text": "No description is available for this CVE.\nThe practical impact is limited because SoupServer is a testing and development utility, not designed for production internet infrastructure. Exploitation requires a deployment topology where SoupServer is serving real traffic behind (or in front of) another HTTP server acting as a proxy — a scenario that contradicts its intended use.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-2708" }, { "category": "description", "text": "This update for libsoup fixes the following issues:\n\n- CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion. (bsc#1252555)\n- CVE-2025-32049: Fixed a Denial of Service attack to websocket server. (bsc#1240751)\n- CVE-2026-2443: Fixed an out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers. (bsc#1258170)\n- CVE-2026-2369: Fixed a buffer overread due to integer underflow when handling zero-length resources. (bsc#1258120)\n- CVE-2026-2708: Fixed HTTP request smuggling via duplicate Content-Length headers. (bsc#1258508)\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:20529-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup2 fixes the following issues:\n\n- CVE-2025-32049: denial of service attack to websocket server (bsc#1240751).\n- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).\n- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects\n (bsc#1257441).\n- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request\n smuggling and potential DoS (bsc#1257597).\n- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0834-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup fixes the following issues:\n\nUpdate to libsoup 3.6.6:\n\n- CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion (bsc#1252555).\n- CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (bsc#1254876).\n- CVE-2025-32049: Denial of Service attack to websocket server (bsc#1240751).\n- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).\n- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects\n (bsc#1257441).\n- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request\n smuggling and potential DoS (bsc#1257597).\n- CVE-2026-2369: Buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n\nChangelog:\n\n- websocket: Fix out-of-bounds read in process_frame\n- Check nulls returned by soup_date_time_new_from_http_string()\n- Numerous fixes to handling of Range headers\n- server: close the connection after responsing a request\ncontaining Content-Length and Transfer-Encoding\n- Use CRLF as line boundary when parsing chunked enconding data\n- websocket: do not accept messages frames after closing due to\nan error\n- Sanitize filename of content disposition header values\n- Always validate the headers value when coming from untrusted\nsource\n- uri-utils: do host validation when checking if a GUri is valid\n- multipart: check length of bytes read\nsoup_filter_input_stream_read_until()\n- message-headers: Reject duplicate Host headers\n- server: null-check soup_date_time_to_string()\n- auth-digest: fix crash in\nsoup_auth_digest_get_protection_space()\n- session: fix 'heap-use-after-free' caused by 'finishing' queue\nitem twice\n- cookies: Avoid expires attribute if date is invalid\n- http1: Set EOF flag once content-length bytes have been read\n- date-utils: Add value checks for date/time parsing\n- multipart: Fix multiple boundry limits\n- Fixed multiple possible memory leaks\n- message-headers: Correct merge of ranges\n- body-input-stream: Correct chunked trailers end detection\n- server-http2: Correctly validate URIs\n- multipart: Fix read out of buffer bounds under\nsoup_multipart_new_from_message()\n- headers: Ensure Request-Line comprises entire first line\n- tests: Fix MSVC build error\n- Fix possible deadlock on init from gmodule usage\n- Updated translations.\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:20752-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup fixes the following issues:\n\n- CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751).\n- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0690-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup fixes the following issues:\n\n- CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751).\n- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0689-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup2 fixes the following issues:\n\n- CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751).\n- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0657-1.json?alt=media" }, { "category": "description", "text": "This update for libsoup fixes the following issues:\n\n- CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751).\n- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).\n- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information\n disclosure to remote attackers (bsc#1258170).\n- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).\n", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0658-1.json?alt=media" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 1\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-2618547", "CSAFPID-2618548", "CSAFPID-2618549", "CSAFPID-2618550", "CSAFPID-2858634", "CSAFPID-2965651", "CSAFPID-2563067", "CSAFPID-2617521", "CSAFPID-2617522", "CSAFPID-5760588", "CSAFPID-5770088", "CSAFPID-5770089", "CSAFPID-5770090", "CSAFPID-5770091", "CSAFPID-5770092", "CSAFPID-5770093", "CSAFPID-5770094", "CSAFPID-5770095", "CSAFPID-5770096", "CSAFPID-5770097", "CSAFPID-5770098", "CSAFPID-5908632", "CSAFPID-5910542", "CSAFPID-5910543", "CSAFPID-5910544", "CSAFPID-5910545", "CSAFPID-5910546", "CSAFPID-5910547", "CSAFPID-5910548", "CSAFPID-5910549", "CSAFPID-5910550", "CSAFPID-5910551", "CSAFPID-5910552", "CSAFPID-5910553", "CSAFPID-5910658", "CSAFPID-5910659", "CSAFPID-5910660", "CSAFPID-5910661", "CSAFPID-5910662" ] }, "references": [ { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-2708" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2708.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-2708" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:20529-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0834-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:20752-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0690-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0689-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0657-1.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/SUSE%2FSUSE-SU-2026:0658-1.json?alt=media" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-2708" }, { "category": "external", "summary": "Reference - redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2708" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620529-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1240751" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1252555" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1258120" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1258170" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1258508" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2025-12105" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2025-32049" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-2369" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-2443" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-2708" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260834-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1257398" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1257441" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1257597" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-1467" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-1539" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2026-1760" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620752-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://bugzilla.suse.com/1254876" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/security/cve/CVE-2025-14523" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260690-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260689-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260657-1/" }, { "category": "external", "summary": "Reference - osv", "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260658-1/" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW" }, "products": [ "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-2563067", "CSAFPID-2617521", "CSAFPID-2617522", "CSAFPID-2618547", "CSAFPID-2618548", "CSAFPID-2618549", "CSAFPID-2618550", "CSAFPID-2858634", "CSAFPID-2965651", "CSAFPID-5760588", "CSAFPID-5770088", "CSAFPID-5770089", "CSAFPID-5770090", "CSAFPID-5770091", "CSAFPID-5770092", "CSAFPID-5770093", "CSAFPID-5770094", "CSAFPID-5770095", "CSAFPID-5770096", "CSAFPID-5770097", "CSAFPID-5770098", "CSAFPID-5908632", "CSAFPID-5910542", "CSAFPID-5910543", "CSAFPID-5910544", "CSAFPID-5910545", "CSAFPID-5910546", "CSAFPID-5910547", "CSAFPID-5910548", "CSAFPID-5910549", "CSAFPID-5910550", "CSAFPID-5910551", "CSAFPID-5910552", "CSAFPID-5910553", "CSAFPID-5910658", "CSAFPID-5910659", "CSAFPID-5910660", "CSAFPID-5910661", "CSAFPID-5910662" ] } ], "title": "CVE-2026-2708" } ] }