CVE-2025-32050 is a libsoup memory-safety flaw that can cause availability impact. A crafted condition in HTTP parameter quoting can trigger an integer overflow leading to a buffer under-read. Red Hat rates it medium; the practical concern is service or application disruption where affected packages are installed.
Executive priority
Handle through normal vulnerability remediation with attention to systems where downtime matters. There is no source-supported evidence of active exploitation, but affected supported Red Hat releases have vendor advisories, making routine patch governance appropriate.
Technical view
The issue is in libsoup append_param_quoted(). The CVE describes an integer overflow that may result in a buffer under-read, mapped to CWE-127. CVSS 3.1 is 5.9 with network attack vector, high attack complexity, no privileges, no user interaction, and high availability impact only.
Likely exposure
Most likely exposure is Red Hat Enterprise Linux 8, 8.8 EUS, 9, 9.2 EUS, and 9.4 EUS systems carrying affected libsoup packages. The bundle also lists affected Red Hat mingw-freetype and spice-client-win packages. RHEL 10 libsoup3 is listed unaffected; RHEL 6 and 7 status is unknown.
Exploitation context
The source bundle does not show CISA KEV listing or any cited active exploitation. CVSS indicates remote reachability without authentication, but high attack complexity. Treat this as a reliability and availability risk rather than a confirmed data-theft issue based on available evidence.
Researcher notes
Evidence is strongest for Red Hat package exposure and the CVSS shape. The bundle does not provide exploit details, proof of active exploitation, or a universal upstream fixed version. Validate per distribution advisory and avoid extrapolating impact beyond affected package contexts.
Mitigation direction
Apply the relevant Red Hat security advisory updates for affected RHEL versions.
Check vendor guidance for Debian or other distributions before assuming equivalent fixes.
Prioritize internet-facing or high-availability systems using libsoup-dependent applications.
Track RHEL 6 and 7 status separately because the bundle lists them as unknown.
Validation and detection
Inventory installed libsoup, mingw-freetype, and spice-client-win package versions on Red Hat systems.
Map each system to the affected RHEL major or EUS release listed in the CVE data.
Confirm applied errata against RHSA-2025:4440, 4508, 4560, 4568, 7436, or 8292.
Review application dependency manifests for bundled or statically linked libsoup copies.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-127: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-127 · source CWE mapping
Buffer Under-read
Buffer Under-read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.