CVE-2026-3633
CRLF Injection in libsoup's soup_message_new() Enables HTTP Request Manipulation
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| gnome | libsoup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3633 is a vulnerability in the libsoup library related to HTTP request construction. Specifically, it occurs in the function soup_message_new(), which creates a new HTTP request. The vulnerability arises because the method parameter used in the HTTP request line is not properly escaped or validated.
An attacker who can control the method parameter can inject Carriage Return Line Feed (CRLF) sequences, allowing them to insert arbitrary HTTP headers and additional request data into the request. This is known as CRLF injection and can lead to header injection and HTTP request injection attacks.
How can this vulnerability impact me? :
This vulnerability allows an attacker who controls the HTTP method parameter to manipulate HTTP requests by injecting arbitrary headers and data. This can alter the behavior of HTTP communication between clients and servers.
Potential impacts include unauthorized modification of request headers, which could lead to security issues such as bypassing security controls, session fixation, cache poisoning, or other HTTP-based attacks depending on how the server processes the injected headers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves CRLF injection via the method parameter in HTTP requests created by libsoup's soup_message_new() function. Detection can focus on monitoring HTTP requests for unusual or malformed method values containing CRLF sequences or unexpected headers injected into requests."}, {'type': 'paragraph', 'content': 'To detect potential exploitation on your network, you can capture HTTP traffic and look for suspicious HTTP request lines where the method field contains carriage return or line feed characters or unexpected headers appear.'}, {'type': 'paragraph', 'content': 'Example commands to detect such anomalies include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'"}, {'type': 'list_item', 'content': "Using grep or similar tools to search for CRLF sequences or injected headers in captured traffic, e.g., grep -P '\\r|\\n' captured_traffic.txt"}, {'type': 'list_item', 'content': 'Using Wireshark to filter HTTP requests and inspect the method field for invalid characters or injected headers.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to sanitize or reject any method values containing invalid characters, including whitespace or CRLF sequences, to prevent injection attacks.
If you maintain or configure software using libsoup, ensure that the method parameter passed to soup_message_new() is properly validated and escaped before use.
Additionally, applying any available security patches or updates from your software vendor that address this vulnerability is crucial.