1. Ubuntu Security Notices
  2. USN-8020-1

USN-8020-1: libsoup vulnerabilities

Publication date

8 February 2026

Overview

Several security issues were fixed in libsoup.

Releases

Packages

  • libsoup3 - HTTP client/server library for GNOME

Details

It was discovered that libsoup did not correctly handle certain
URL-decoded input, which could allow for HTTP header injection. A remote
attacker could possibly use this issue to cause a denial of service or
execute arbitrary code. (CVE-2026-1467, CVE-2026-1536)

It was discovered that libsoup did not correctly handle removal of the
Proxy-Authorization header. A remote attacker could possibly use this
issue to leak sensitive information. (CVE-2026-1539)

It was discovered that libsoup did not correctly handle certain
URL-decoded input, which could allow for HTTP header injection. A remote
attacker could possibly use this issue to cause a denial of service or
execute arbitrary code. (CVE-2026-1467, CVE-2026-1536)

It was discovered that libsoup did not correctly handle removal of the
Proxy-Authorization header. A remote attacker could possibly use this
issue to leak sensitive information. (CVE-2026-1539)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
25.10 questing gir1.2-soup-3.0 –  3.6.5-4ubuntu0.2
libsoup-3.0-0 –  3.6.5-4ubuntu0.2
libsoup-3.0-common –  3.6.5-4ubuntu0.2
libsoup-3.0-dev –  3.6.5-4ubuntu0.2
libsoup-3.0-doc –  3.6.5-4ubuntu0.2
libsoup-3.0-tests –  3.6.5-4ubuntu0.2
24.04 LTS noble gir1.2-soup-3.0 –  3.4.4-5ubuntu0.7
libsoup-3.0-0 –  3.4.4-5ubuntu0.7
libsoup-3.0-common –  3.4.4-5ubuntu0.7
libsoup-3.0-dev –  3.4.4-5ubuntu0.7
libsoup-3.0-doc –  3.4.4-5ubuntu0.7
libsoup-3.0-tests –  3.4.4-5ubuntu0.7
22.04 LTS jammy gir1.2-soup-3.0 –  3.0.7-0ubuntu1+esm7  
libsoup-3.0-0 –  3.0.7-0ubuntu1+esm7  
libsoup-3.0-common –  3.0.7-0ubuntu1+esm7  
libsoup-3.0-dev –  3.0.7-0ubuntu1+esm7  
libsoup-3.0-doc –  3.0.7-0ubuntu1+esm7  
libsoup-3.0-tests –  3.0.7-0ubuntu1+esm7  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›