CVE-2026-0719

NameCVE-2026-0719
DescriptionA flaw was found in libsoup's NTLM (NT LAN Manager) authentication module. When NTLM authentication is enabled, a local attacker can exploit a stack-based buffer overflow vulnerability in the md4sum() function. This allows the attacker to overwrite adjacent memory, which may result in arbitrary code execution with the privileges of the affected application.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1125083

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoup2.4 (PTS)bullseye2.72.0-2vulnerable
bullseye (security)2.72.0-2+deb11u3vulnerable
bookworm2.74.3-1+deb12u1vulnerable
trixie2.74.3-10.1vulnerable
libsoup3 (PTS)bookworm3.2.3-0+deb12u2vulnerable
trixie3.6.5-3vulnerable
forky, sid3.6.5-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoup2.4source(unstable)(unfixed)
libsoup3source(unstable)(unfixed)1125083

Notes

https://gitlab.gnome.org/GNOME/libsoup/-/issues/477
Search for package or bug name: Reporting problems