CVE-2025-11021

NameCVE-2025-11021
DescriptionA flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1116469

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoup3 (PTS)bookworm3.2.3-0+deb12u2vulnerable
trixie3.6.5-3vulnerable
forky, sid3.6.5-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoup3source(unstable)(unfixed)1116469

Notes

[trixie] - libsoup3 <no-dsa> (Minor issue)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2399627
https://gitlab.gnome.org/GNOME/libsoup/-/issues/459
Search for package or bug name: Reporting problems