CVE-2025-32911: 
Alma Linux vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-32911) was discovered in libsoup, affecting versions prior to 3.6.3. The vulnerability was disclosed on April 15, 2025, and involves a use-after-free memory issue not on the heap in the soupmessageheadersgetcontent_disposition() function. This security flaw affects various Linux distributions including Red Hat Enterprise Linux 8 and 9, Debian, and Ubuntu systems running libsoup2.4 and earlier versions of libsoup3 (NVD, Ubuntu Security).

The vulnerability is classified with CWE-590 (Free of Memory not on the heap) and has received a CVSS v3.1 base score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue specifically occurs in the soupmessageheadersgetcontent_disposition() function through 'soup-message-headers.c' via 'params' GHashTable value (Red Hat XML, Debian Tracker).

The vulnerability allows a malicious HTTP client to cause memory corruption in the libsoup server, potentially leading to high impacts on confidentiality, integrity, and availability of the affected systems. The critical CVSS score of 9.0 indicates severe potential consequences if exploited (NVD, Ubuntu Security).

Currently, no direct mitigation is available for this vulnerability. However, the issue has been fixed in libsoup3 version 3.6.4-1 and later. Users are advised to upgrade to the fixed version when available. The fix has been implemented through a commit in the libsoup repository (Debian Tracker).