CVE-2026-12549

Summary

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-805: Buffer Access with Incorrect Length Value

Workarounds

To mitigate this issue, applications utilizing libsoup's WebSocket support should ensure that the max_incoming_payload_size is explicitly set to a non-zero value. This prevents the library from processing WebSocket frames with an unset or zero maximum payload size, which can lead to out-of-bounds reads. Consult application-specific documentation for configuring libsoup parameters.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References