CVE-2025-46420: 
Rocky Linux vulnerability analysis and mitigation

A memory leak vulnerability was identified in libsoup (CVE-2025-46420) affecting the soupheaderparsequalitylist() function. The vulnerability was discovered on April 24, 2025, and affects the parsing of quality lists containing elements with all zeroes in HTTP headers. This vulnerability impacts various versions of libsoup, including versions prior to 3.6.3 (NVD, Debian Tracker).

The vulnerability occurs in the soupheaderparsequalitylist() function when parsing HTTP header quality lists that contain elements with all zeroes (e.g., q=0.0, q=0.00, q=0.000). The issue has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

The memory leak can result in gradual degradation of system performance and potential denial of service conditions. Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger the memory leak, they might be able to cause resource exhaustion (Red Hat CVE).

The vulnerability has been fixed in libsoup version 3.6.3. Users are advised to upgrade to the latest version. For Debian systems, fixed versions are available in sid (2.74.3-10.1 for libsoup2.4 and 3.6.5-1 for libsoup3) (Debian Tracker).