CVE-2026-2436
Published: 26 March 2026
Summary
CVE-2026-2436 is a medium-severity Expired Pointer Dereference (CWE-825) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free flaw in libsoup's SoupServer by applying patches referenced in advisories, preventing server crashes from dangling pointer access during TLS handshakes.
Implements memory protection mechanisms like address space randomization and non-executable memory to mitigate use-after-free vulnerabilities and limit their impact to crashes rather than further exploitation.
Provides denial-of-service protections to limit the availability impact of remote attacks triggering server crashes via premature connection object freeing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in libsoup SoupServer enables remote exploitation to crash the server without privileges or interaction, directly facilitating endpoint DoS via application exploitation.
NVD Description
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has…
more
been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.
Deeper analysisAI
CVE-2026-2436 is a use-after-free vulnerability in libsoup's SoupServer component. The flaw arises in the soup_server_disconnect() function, which prematurely frees connection objects even when a TLS handshake is still pending. If the handshake completes after the object has been freed, a dangling pointer is accessed, causing a server crash.
A remote attacker with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. Exploitation triggers a denial of service through server crash, with low integrity impact but high availability impact and no confidentiality impact. The CVSS v3.1 base score is 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H), mapped to CWE-825 (Expired Pointer Dereference).
Advisories and patches are detailed in Red Hat's security bulletin at https://access.redhat.com/security/cve/CVE-2026-2436, Red Hat Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2442909, and the GNOME libsoup issue tracker at https://gitlab.gnome.org/GNOME/libsoup/-/issues/501. Security practitioners should review these resources for mitigation guidance and available updates.
Details
- CWE(s)