CVE-2026-12549

Description

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

References

VENDOR_ADVISORYhttps://access.redhat.com/security/cve/CVE-2026-12549
VENDOR_ADVISORYhttps://access.redhat.com/security/cve/cve-2026-0716
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=2489999
MISChttps://gitlab.gnome.org/GNOME/libsoup/-/work_items/516