Vulnerability DatabaseCVE-2025-32053

CVE-2025-32053:
Rocky Linux vulnerability analysis and mitigation

Overview

A heap buffer over-read vulnerability was discovered in libsoup (CVE-2025-32053), affecting the sniff_feed_or_html() and skip_insignificant_space() functions. The vulnerability was reported on April 3, 2025, and affects multiple versions of libsoup2.4 and libsoup3 packages (NVD, Debian Tracker).

Technical details

The vulnerability is classified as CWE-126 (Buffer Over-read) with a CVSS v3.1 base score of 6.5 (Medium). The issue occurs in the content sniffer's sniff_feed_or_html() and skip_insignificant_space() functions, where libsoup clients may perform out-of-bounds reads when processing crafted HTTP responses from servers (Red Hat Bugzilla).

Impact

When exploited, this vulnerability could allow attackers to cause applications using libsoup to crash, resulting in a denial of service condition. The vulnerability affects the confidentiality and availability of the system, as indicated by the CVSS metrics showing Low impact on confidentiality and availability (Ubuntu Security).

Mitigation and workarounds

The vulnerability has been fixed in libsoup3 version 3.6.1 and later, and in libsoup2.4 version 2.74.3-10. Various Linux distributions have released security updates to address this issue. Ubuntu has released patches for versions 20.04 LTS through 24.10, and Debian has fixed the issue in their 'sid' release (Debian Tracker, Ubuntu Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

6.5

Score

Published April 3, 2025

Severity MEDIUM

CNA Score 6.5

Affected Technologies

Rocky Linux
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 78.1

Exploitation Probability (EPSS) 1.1

Affected packages and libraries

libsoup-devel
mingw64-freetype-static

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: May 08, 2025
- AlmaLinux 9 Severity HIGHHas FixAdded at: May 22, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Jul 12, 2025
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 29, 2025
Debian Security Tracker
- Debian 11, 12, 13 Severity MEDIUMHas FixAdded at: Apr 04, 2025
- Debian 14 Severity MEDIUMHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity MEDIUMHas FixAdded at: Nov 18, 2025
Photon Security Advisory
- Photon 4.0 Severity MEDIUMHas FixAdded at: Jun 01, 2025
- Photon 5.0 Severity MEDIUMHas FixAdded at: May 18, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Apr 03, 2025
- Red Hat 8 Severity MEDIUMHas FixAdded at: Apr 03, 2025
- Red Hat 9 Severity MEDIUMHas FixAdded at: Apr 03, 2025
Rocky Linux Product Errata
- Rocky 8 Severity HIGHHas FixAdded at: Aug 03, 2025
Seal Security
- Red Hat 7 Severity MEDIUMHas FixAdded at: Nov 18, 2025
TuxCare
- AlmaLinux 9.2 Severity MEDIUMHas FixAdded at: Nov 18, 2025
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04 Severity MEDIUMHas FixAdded at: Jun 05, 2025
- Ubuntu 20.04, 22.04, 24.04, 24.10 Severity MEDIUMHas FixAdded at: Apr 09, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Rocky Linux vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-4111	HIGH	7.5	Rocky Linux	libarchive	No	Yes	Mar 13, 2026
CVE-2026-26130	HIGH	7.5	C#	dotnet-runtime-9.0-debuginfo	No	Yes	Mar 10, 2026
CVE-2026-26127	HIGH	7.5	C#	Microsoft.NetCore.App.Runtime.win-arm64	No	Yes	Mar 10, 2026
CVE-2025-12801	MEDIUM	6.5	Rocky Linux	nfs-utils-lib-devel	No	Yes	Mar 04, 2026
CVE-2026-26104	MEDIUM	5.5	NixOS	udisks2-iscsi	No	Yes	Feb 25, 2026