Description
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
Published: 2026-03-17
Score: 3.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Injection via CRLF
Action: Assess Impact
AI Analysis

Impact

A flaw in libsoup allows an attacker who can supply the method argument to the soup_message_new() function to inject arbitrary HTTP headers and additional request data through CRLF injection. The method value is not escaped during request line construction, enabling header and request line manipulation. This can lead to unintended request behavior, possible request smuggling, or other attack vectors that alter the semantics of HTTP traffic, raising integrity and availability concerns.

Affected Systems

The vulnerability affects the Libsoup library on Red Hat Enterprise Linux 6 through 10. Any installation of libsoup on those platforms, including its derivatives that incorporate the library, is potentially impacted.

Risk and Exploitability

The CVSS score is 3.9, indicating low severity, and the EPSS score is below 1%, suggesting a very low probability of exploitation. It is not listed in the CISA KEV catalog. Nevertheless, the attack vector is remote: an adversary can exploit the flaw via network traffic that goes through an application using the vulnerable libsoup library. No active exploitation is currently documented, but the availability of an injection point means that an attacker could craft malicious requests to influence application behavior.

Generated by OpenCVE AI on April 17, 2026 at 09:56 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Ensure that any application code using soup_message_new() validates the method argument, restricting it to a narrow set of allowed HTTP verbs (GET, POST, PUT, DELETE, etc.) to eliminate CRLF injection.
  • Apply network‑level controls such as firewalls or reverse proxies to restrict access to services that use Libsoup to trusted hosts or IP ranges.
  • Monitor vendor advisories and apply subsequent security updates as soon as they are released.
  • No official workaround is available from Red Hat; rely on the application‑level method validation mitigation instead.

Generated by OpenCVE AI on April 17, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome libsoup
CPEs cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Gnome
Gnome libsoup

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
Title libsoup: libsoup: Header and HTTP request injection via CRLF injection Libsoup: libsoup: header and http request injection via crlf injection
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Libsoup
Libsoup libsoup
Vendors & Products Libsoup
Libsoup libsoup

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libsoup: libsoup: Header and HTTP request injection via CRLF injection
Weaknesses CWE-93
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Low

Subscriptions

Gnome Libsoup
Libsoup Libsoup
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-19T20:57:05.472Z

Reserved: 2026-03-06T07:57:52.748Z

Link: CVE-2026-3633

cve-icon Vulnrichment

Updated: 2026-03-17T12:59:51.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T10:16:00.677

Modified: 2026-03-19T19:53:34.563

Link: CVE-2026-3633

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-06T05:05:00Z

Links: CVE-2026-3633 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses