🟠 High | Source: Microsoft Security Response Center
CVE-2026-15712 is a heap buffer over-read vulnerability in libsoup3, an HTTP client/server library, triggered when parsing HTTP/2 GOAWAY frames due to an invalid null-termination assumption. An attacker could potentially exploit this to read out-of-bounds memory, leading to information disclosure or application crashes. This affects services and workloads running on Azure that rely on libsoup3 for HTTP/2 communications.
Security Architect’s Take: Identify any Azure-hosted workloads or containerised applications using libsoup3 and prioritise patching to the latest fixed version; additionally, review whether HTTP/2 is strictly necessary and consider disabling it where not required to reduce the attack surface.
Original advisory: CVE-2026-15712 Soupclientmessageiohttp2: libsoup3: libsoup: http/2 goaway frame parsing heap buffer over-read via invalid nul-termination assumption