CVE-2026-3633 โ€” CRLF Injection in Redhat Enterprise Linux

CWE-93 โ€” CRLF Injection8 documents8 sources
Severity
6.5MEDIUMNVD
CNA3.9
EPSS
0.0%
top 90.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Enterprise Linux
Timeline
PublishedMar 17

Description

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages0 packages

Also affects: Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0

๐Ÿ”ดVulnerability Details

3
CVEList
Libsoup: libsoup: header and http request injection via crlf injectionโ†—2026-03-17
โ–ถ
OSV
CVE-2026-3633: A flaw was found in libsoupโ†—2026-03-17
โ–ถ
GHSA
GHSA-6p72-283f-crv2: A flaw was found in libsoupโ†—2026-03-17
โ–ถ

๐Ÿ“‹Vendor Advisories

3
Microsoft
Libsoup: libsoup: header and http request injection via crlf injectionโ†—2026-03-10
โ–ถ
Red Hat
libsoup: libsoup: Header and HTTP request injection via CRLF injectionโ†—2026-03-06
โ–ถ
Debian
CVE-2026-3633: libsoup2.4 - A flaw was found in libsoup. A remote attacker, by controlling the method parame...โ†—2026
โ–ถ

๐Ÿ•ต๏ธThreat Intelligence

1
Wiz
CVE-2026-3633 Impact, Exploitability, and Mitigation Steps | Wizโ†—
โ–ถ
CVE-2026-3633 โ€” CRLF Injection in Redhat | cvebase