Introduction
Sensitive information leakage from memory can have direct consequences for user privacy and application security. The libsoup HTTP library, a foundational component for GNOME and many Linux-based applications, is affected by a high-severity vulnerability (CVE-2025-11021) that allows attackers to trigger an out-of-bounds memory read via crafted cookie expiration dates.
libsoup is a widely used HTTP client and server library maintained by the GNOME Foundation. It underpins web communication in the GNOME desktop environment and is a dependency for many open-source and commercial applications across Linux distributions. Its broad adoption means vulnerabilities can have a ripple effect across the Linux ecosystem.
Technical Information
CVE-2025-11021 is classified as an out-of-bounds read (CWE-125) in the cookie date handling logic of libsoup. When libsoup processes an HTTP response containing a Set-Cookie header, it parses the expiration date to determine the cookie's validity. The vulnerability arises because the parsing logic does not adequately validate the length or format of the expiration date string before processing it. If an attacker controls an HTTP server or can inject responses, they can send a Set-Cookie header with a specially crafted expiration date. This malformed value causes libsoup to read memory beyond the allocated buffer, potentially disclosing sensitive data from the process memory space.
The attack requires only that a vulnerable libsoup-based client processes a malicious HTTP response. No user interaction or special privileges are necessary. The flaw is particularly concerning for desktop environments and applications that regularly interact with untrusted web servers.
No public code snippets or proof of concept are available for this vulnerability as of the publication date.
Affected Systems and Versions
Based on available information, the vulnerability affects libsoup as used in GNOME and other Linux-based applications. The specific affected versions are not listed in the public sources. Organizations should assume that all currently supported versions of libsoup in major Linux distributions may be affected until vendor advisories specify otherwise.
Vendor Security History
libsoup has experienced several memory safety vulnerabilities in recent years, including:
- CVE-2025-2784: Heap buffer over-read in content sniffing
- CVE-2025-32914: Out-of-bounds read in multipart message processing
Major vendors such as Red Hat, Ubuntu, and SUSE typically respond with patches within days to weeks of disclosure. However, the frequency of memory management issues in libsoup highlights ongoing challenges in secure coding practices for this library.