Introduction
Application crashes and denial-of-service events have immediate operational consequences for organizations relying on stable HTTP communications. The recent discovery of a use-after-free vulnerability in libsoup, tracked as CVE-2025-12105, directly impacts a wide range of Linux systems and applications that depend on this core library for HTTP/2 support.
libsoup is a foundational HTTP client and server library developed by the GNOME project. It is integral to GNOME desktop environments and is also used by WebKit-based browsers and numerous Linux applications. Its widespread deployment across Red Hat Enterprise Linux (RHEL) versions 6 through 10, as well as other major distributions, means that a vulnerability in libsoup can have broad repercussions for both enterprise and consumer systems.
Technical Information
CVE-2025-12105 is a use-after-free vulnerability rooted in the asynchronous message queue handling of libsoup's HTTP/2 implementation. The flaw occurs when network operations—specifically HTTP/2 read operations—are aborted at certain timing intervals. In these scenarios, libsoup's internal state synchronization fails, allowing a message queue item to be freed twice. This double-free leads to a use-after-free memory access, which can cause the affected application to crash.
The vulnerability is triggered by a race condition in the cleanup logic. When an HTTP/2 stream is canceled during an active read, one code path may deallocate the queue item while another still references it. This unsynchronized state results in undefined behavior, typically manifesting as a segmentation fault or application crash. Attackers can exploit this remotely by crafting HTTP/2 traffic that triggers the vulnerable sequence of read and cancel operations. The issue is classified under CWE-416 (Use After Free), a category known for leading to memory corruption and stability issues.
No public code snippets for the vulnerable logic have been released, but the flaw is confirmed in upstream bug trackers and Red Hat advisories. The vulnerability specifically affects the asynchronous handling of HTTP/2 streams in libsoup, making it relevant for any application or service that processes HTTP/2 traffic using this library.
Affected Systems and Versions
CVE-2025-12105 affects multiple versions of Red Hat Enterprise Linux, specifically RHEL 6, 7, 8, 9, and 10, as confirmed by Red Hat advisories. The vulnerability is present in libsoup versions used by these RHEL releases. For RHEL 10, the patched version is libsoup3 3.6.5-3.el10_0.7 or later. Other distributions and applications that use vulnerable libsoup releases for HTTP/2 communications are also potentially impacted. The vulnerability is relevant for configurations where asynchronous HTTP/2 operations are enabled.
Vendor Security History
Red Hat has a strong track record for timely security advisories and coordinated patch releases. In 2025 alone, several vulnerabilities have been addressed in libsoup, including issues related to integer underflow, heap buffer over-read, and out-of-bounds reads. Red Hat's advisories are detailed, include SHA-256 checksums for package verification, and are released across all supported RHEL versions. The frequency of libsoup vulnerabilities in 2025 highlights ongoing memory safety challenges in the library, but Red Hat's response has been prompt and systematic.