CVE-2026-12478 in Linux
Summary
by MITRE • 07/14/2026
The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability described in CVE-2026-0716 represents a critical security flaw in the libsoup library version 3.6.6 that affects WebSocket client implementations. This issue stems from an improper implementation of integer overflow protection mechanisms within the WebSocket frame processing logic, creating a significant attack surface for remote adversaries. The vulnerability specifically targets the handling of WebSocket frames where the masking bit is not set, leaving these unmasked frames susceptible to malicious manipulation.
The technical flaw manifests in the placement of integer overflow guards within conditional blocks that only protect masked frames while neglecting their unmasked counterparts. This design decision creates a scenario where an attacker can craft a malicious WebSocket frame with a payload length approaching UINT64_MAX, effectively exploiting a buffer over-read condition. When libsoup-based clients process such frames and have max_incoming_payload_size configured to zero, the library fails to properly validate or limit the incoming data size, resulting in out-of-bounds memory reads that can lead to information disclosure or potential code execution.
The operational impact of this vulnerability extends beyond simple data corruption as it enables sophisticated attack vectors that can be leveraged by malicious WebSocket servers. The vulnerability is particularly dangerous because it operates at the protocol level where clients are expected to handle arbitrary data from untrusted sources, making it difficult to predict or prevent such attacks through traditional network security measures. An attacker with access to a WebSocket server can craft payloads that bypass normal security checks and exploit the library's failure to validate unmasked frame sizes, potentially leading to memory corruption or information leakage.
This vulnerability aligns with CWE-190, Integer Overflow or Wraparound, and represents a classic example of incomplete input validation where security controls are applied selectively rather than comprehensively. The flaw also maps to ATT&CK technique T1566.001, Phishing, as it can be exploited through malicious WebSocket connections that appear legitimate to the client application. The improper implementation falls under the category of defensive code flaws where the fix was applied incompletely, leaving a critical gap in the security model.
Mitigation strategies for this vulnerability require immediate patching of libsoup to version 3.6.7 or later where the integer overflow protections are correctly applied to both masked and unmasked WebSocket frames. Organizations should also implement network-level controls such as WebSocket traffic filtering and monitoring to detect anomalous frame sizes, while application developers should ensure proper configuration of max_incoming_payload_size parameters and consider implementing additional validation layers. Additionally, security teams should monitor for signs of exploitation through unusual memory access patterns or unexpected client behavior that might indicate successful exploitation of this vulnerability.