Libsoup Heap Use-After-Free Vulnerability in HTTP/2 Message Queue Handling

A heap use-after-free vulnerability has been identified in the libsoup library, which is commonly used in GNOME and WebKit-based applications for managing HTTP/2 communications. The flaw arises in the asynchronous message queue handling when network operations are aborted at certain timing intervals. This can cause an internal message queue item to be freed twice, due to a lack of proper state synchronization, leading to a use-after-free memory access. Such access can potentially crash the application. The vulnerability can be exploited remotely by sending crafted HTTP/2 read and cancel sequences, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes applications or network services that rely on libsoup for HTTP/2 processing to crash, creating a denial-of-service condition. While the flaw does not allow for code execution or system compromise, it disrupts service availability, which can be particularly problematic in production environments.

Reproduction

The vulnerability can be reproduced by using an application that employs the libsoup library for HTTP/2 communications. When a network operation is canceled at a specific timing, the message queue handling can be disrupted, leading to a use-after-free condition. This can be achieved by sending crafted HTTP/2 requests that are designed to be read and then canceled, exploiting the timing of these operations to trigger the vulnerability.