CVE-2026-1760
HTTP Request Smuggling in SoupServer Causes Potential DoS
Publication date: 2026-02-02
Last updated on: 2026-03-19
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnome | libsoup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an HTTP request smuggling flaw in SoupServer, part of libsoup. It happens because SoupServer improperly handles HTTP requests that include both 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers. Specifically, SoupServer fails to close the connection as required by RFC 9112 after sending a response. This allows an attacker to send specially crafted requests that smuggle additional HTTP requests over the same persistent connection, leading to unintended request processing. [1]
How can this vulnerability impact me? :
An attacker can exploit this vulnerability remotely without authentication to smuggle additional HTTP requests over a persistent connection. This can cause unintended request processing and potentially lead to denial-of-service (DoS) conditions, disrupting the availability of the affected service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP traffic for requests that include both 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers, which SoupServer improperly handles. Network packet capture tools like tcpdump or Wireshark can be used to filter and analyze such HTTP requests. For example, using tcpdump, you can capture HTTP traffic with: tcpdump -A -s 0 'tcp port 80' and then inspect for suspicious requests combining these headers. Additionally, reviewing server logs for abnormal persistent connections or unexpected request processing may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating libsoup to a patched version where this vulnerability is fixed. If an update is not immediately possible, consider disabling persistent connections or restricting the use of 'Transfer-Encoding: chunked' headers in incoming requests at the server or network level. Implementing firewall rules or web application firewall (WAF) filters to block suspicious HTTP requests that combine 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers can also reduce risk. Monitoring and limiting the number of requests per connection may help prevent exploitation. [1]