🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-15709 is a vulnerability in libsoup, a GNOME HTTP client/server library, affecting its WebSocket permessage-deflate extension. A remote attacker can send specially crafted compressed WebSocket messages that trigger unbounded decompression, consuming excessive memory or CPU and causing a denial of service. This matters because libsoup is used across Linux-based cloud workloads and containerised environments, making internet-facing services potentially susceptible to availability attacks.

Security Architect’s Take: Identify any Azure-hosted workloads or container images that ship libsoup and prioritise patching to a fixed version; additionally, consider placing WebSocket endpoints behind a WAF or API gateway configured to enforce message size limits as a compensating control until patches are applied.

Original advisory: CVE-2026-15709 Soupwebsocketextensiondeflate: libsoup: libsoup: websocket permessage-deflate unbounded decompression remote denial of service