CVE-2026-2369
Eric Su and Samuel Dainard discovered that libsoup incorrectly handled content with zero-length resources. An attacker could possibly use this issue to trigger a buffer over-read, resulting in information disclosure or a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2369) Kona Arctic discovered that libsoup did not properly protect sensitive cookies when establishing HTTPS tunnels through an HTTP proxy. An attacker could possibly use this issue to intercept session cookies, resulting in session hijacking or user impersonation. (CVE-2026-5119)
CSIRTS triage
- What
- Vulnerabilities in libsoup could lead to information disclosure and denial of service.
- Who is affected
- Users of libsoup on specified Ubuntu versions are affected.
- Urgency
- Remediation is important to prevent potential information disclosure and service disruption.
- Action
- Users should update libsoup to the latest version.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-2369
Get an email if CVE-2026-2369 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.42% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 34% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownUSN-8523-1: libsoup vulnerabilitiesubuntu · 2026-07-09
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-2369)