CVE-2026-3634
CRLF Injection in libsoup Content-Type Header Allows HTTP Splitting
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| gnome | libsoup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3634 is a vulnerability in libsoup where an attacker can inject Carriage Return Line Feed (CRLF) sequences into the Content-Type HTTP header due to improper input sanitization in the function soup_message_headers_set_content_type().
This happens because the function uses soup_message_headers_append_common(), which does not restrict allowed characters in the header value, allowing CRLF sequences to be included.
As a result, an attacker controlling the Content-Type header value can inject arbitrary HTTP header-value pairs, leading to HTTP header injection and response splitting attacks.
How can this vulnerability impact me? :
This vulnerability allows an attacker who can control the Content-Type header value to perform HTTP header injection and response splitting attacks.
Such attacks can lead to security issues like manipulating HTTP responses, injecting malicious headers, or causing unexpected behavior in web applications or services using libsoup.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves injection of CRLF sequences into the Content-Type header, allowing HTTP header injection and response splitting. Detection can focus on monitoring HTTP traffic for unusual or unexpected header values, especially those containing CRLF sequences or injected headers such as 'X-Injected-By'."}, {'type': 'paragraph', 'content': 'One approach is to capture HTTP requests and responses using tools like tcpdump or Wireshark and inspect the Content-Type headers for suspicious characters or additional headers injected via CRLF sequences.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80'"}, {'type': 'list_item', 'content': "Use grep or similar tools to search for suspicious Content-Type headers in captured logs or traffic dumps, e.g., grep -i 'Content-Type' captured_traffic.log"}, {'type': 'list_item', 'content': 'Use curl or similar HTTP clients to test if the server or application accepts Content-Type headers with CRLF sequences by crafting requests with injected headers.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to update libsoup to a version where the function soup_message_headers_set_content_type() uses soup_message_headers_append() instead of soup_message_headers_append_common(). This change enforces character restrictions and prevents CRLF injection.
If updating is not immediately possible, consider implementing input validation or sanitization on the Content-Type header values to block CRLF sequences before they reach libsoup.
Additionally, monitor and restrict user-controlled inputs that influence HTTP headers, and apply web application firewall (WAF) rules to detect and block HTTP header injection attempts.