Red Hat disclosed a high-severity vulnerability in the libsoup network library that lets a remote, unauthenticated attacker crash a service with a single, carefully crafted compressed WebSocket message. The flaw, tracked as CVE-2026-15709 and rated 7.5 on the CVSS scale, affects Red Hat Enterprise Linux 8, 9, and 10, and as of this writing, no official patch is available. Because libsoup can end up in Windows environments through WSL, containers, and bundled applications, this isn’t just a Linux problem.
The Vulnerability Details
The bug lies in how libsoup handles the permessage-deflate WebSocket extension, which compresses message payloads to save bandwidth. When libsoup decompresses such a message, it processes the data in chunks without capping how much memory it can allocate during inflation. The library does check the size of the incoming compressed frame with the max_incoming_payload_size setting, but that cap doesn’t constrain the decompressed output. A separate check, max_total_message_size, exists but only runs after decompression is finished—and it’s completely disabled by default for client connections.
The result: an attacker can send a tiny compressed payload—a “decompression bomb”—that expands wildly, forcing the receiving application to allocate memory until it runs out and crashes. Red Hat classifies this as CWE-409, improper handling of highly compressed data. The attack requires no special privileges, no user interaction, and can be launched over the network (CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The impact is limited to availability; an attacker cannot execute code, steal data, or modify anything.
The libsoup library internally uses zlib for decompression, and the flaw is in the inflate() loop that processes the compressed data chunk by chunk. Because there’s no progressive check on total memory allocated during the loop, a highly compressed payload that expands by a factor of thousands can consume all available memory before the post-decompression size check ever runs. This is essentially the network‑service equivalent of a classic “zip bomb.”
Why This Matters for Your Systems
If you run RHEL 8, 9, or 10 with any service that uses libsoup’s WebSocket functionality, you could be at risk. The vulnerable extension is often negotiated automatically to reduce bandwidth, so even if you didn’t explicitly enable compression, it might be active. A publicly reachable server can be forced into an out-of-memory (OOM) state and crash, potentially disrupting critical business processes.
For Windows administrators, the vulnerability isn’t in the OS itself, but many Windows environments are home to Linux workloads. Windows Subsystem for Linux (WSL) distributions, Docker containers, and even some desktop applications bundle libsoup. For example, GTK‑based tools, media players, or development utilities may ship their own copy. If any of those use libsoup WebSockets with compression, they become a backdoor for DoS attacks on employee workstations or build servers.
The good news is that this is strictly a crash bug, not a foothold for deeper compromise. Still, repeated crashes can be weaponized to mask multi‑stage attacks or simply cause persistent downtime. The CISA SSVC assessment (added the day after Red Hat’s disclosure) indicates that proof‑of‑concept code exists and the attack is automatable. That doesn’t mean mass exploitation is happening right now, but it does raise the urgency for defenders to act.
How the Decompression Oversight Occurred
libsoup is a core networking library in the GNOME ecosystem and ships with many Linux distributions. The permessage-deflate extension was added to improve performance for chatty WebSocket connections. The developers set an incoming size limit to prevent a single massive frame from overwhelming memory, but they overlooked that a small compressed payload can decompress to something enormous. This is a recurring challenge; the industry has seen similar issues with gzip bombs in HTTP servers and XML parsers.
Red Hat assigned the vulnerability and published details on July 14, 2026, after presumably receiving a private report. The same day, the upstream GNOME issue was made public. The vulnerability tracking community quickly added SSVC scores and enriched the NVD record. Currently, Red Hat lists RHEL 6 and 7 as “unknown”; administrators should not assume those releases are immune without explicit vendor confirmation.
Steps to Protect Your Environment Now
Until Red Hat releases an official fix, your best defense is to identify where libsoup lives in your environment and limit exposure of the vulnerable path.
1. Inventory Package Presence
On RHEL systems, first check if the relevant packages are installed:
rpm -q libsoup libsoup3
dnf list --installed libsoup libsoup3
Package presence alone doesn’t confirm you’re using WebSocket compression, but it flags systems that need deeper investigation.
2. Investigate WebSocket Usage and Compression
Talk to your application owners. Ask whether their software relies on libsoup WebSockets and, if so, whether permessage-deflate is enabled. Look for open file descriptors or network connections that indicate WebSocket traffic. If the application’s configuration allows it, try disabling the compression extension entirely. Even if you can’t disable it, restricting which peers can connect to the service reduces the risk until a patch is available.
3. Scan Windows Environments
For Windows machines that host Linux workloads, start by enumerating WSL distributions:
wsl -l -v
Inside each distribution, run the same package queries as above. For RPM‑based distros inside WSL, you can use:
wsl -d DistroName -- sh -lc 'rpm -q libsoup libsoup3'
Next, scan your container images. If you use Docker Desktop, list images and inspect them with a tool like Syft:
syft <image-name> -o syft-table | grep -E 'libsoup|libsoup3'
Alternatively, enter a running container and run rpm -q libsoup libsoup3 directly. Containerized workloads often carry their own copies of the library, independent of the host OS. A fully patched host doesn’t guarantee that the container images are safe.
Some Windows applications may bundle libsoup as a DLL. A quick PowerShell search can surface candidates:
Get-ChildItem 'C:\Program Files','C:\Program Files (x86)' -Recurse -ErrorAction SilentlyContinue -Include '*libsoup*.dll' | Select-Object FullName
If you find a file, trace it back to the installed application and check whether that application uses WebSocket functionality and is exposed to untrusted compressed connections.
4. Apply Mitigations and Monitor for Patches
For all exposure paths, if an Out‑of‑Memory crash would cause significant operational disruption, consider:
- Isolating the service behind a firewall so only trusted peers can connect.
- Disabling the permessage-deflate extension if the application allows it (e.g., via build options or runtime configuration).
- Reducing the number of concurrent WebSocket connections to limit the blast radius.
Do not assume that running a routine dnf update will fix this. Red Hat has not yet released an erratum with a fixed package build. Monitor the official advisory (see reference links) for a patched version, and only close the finding after you’ve verified that the fixed library is installed and the running processes have been restarted.
Looking Ahead
CVE-2026-15709 is a textbook example of why resource limits must be enforced at every stage of data processing, not just at the input boundary. The libsoup project will need to add a memory cap during decompression, and the broader developer community should audit other WebSocket implementations for similar weaknesses. For IT teams, this is a reminder that inventory tools often flag libraries without telling you whether the vulnerable code path is actually reachable. The real work is connecting the package to the running application and understanding its exposure.
Red Hat will likely deliver patches in a coordinated release, but timing isn’t public yet. In the meantime, treat this as a high‑priority inventory and configuration review, not a fire drill. The fallout from a few well‑aimed decompression bombs can be just as disruptive as a ransomware attack if it takes down your critical services.