CVE-2026-3634

CWE-938 documents8 sources
Severity
6.5MEDIUM
EPSS
0.0%
top 92.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Enterprise Linux
Timeline
PublishedMar 17

Description

A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:LExploitability: 0.5 | Impact: 3.4

Affected Packages0 packages

Also affects: Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0

๐Ÿ”ดVulnerability Details

3
GHSA
GHSA-jx6g-363c-pprr: A flaw was found in libsoupโ†—2026-03-17
โ–ถ
OSV
CVE-2026-3634: A flaw was found in libsoupโ†—2026-03-17
โ–ถ
CVEList
Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type headerโ†—2026-03-17
โ–ถ

๐Ÿ“‹Vendor Advisories

3
Microsoft
Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type headerโ†—2026-03-10
โ–ถ
Red Hat
libsoup: libsoup: HTTP header injection and response splitting via CRLF injection in Content-Type headerโ†—2026-03-06
โ–ถ
Debian
CVE-2026-3634: libsoup2.4 - A flaw was found in libsoup. An attacker controlling the value used to set the C...โ†—2026
โ–ถ

๐Ÿ•ต๏ธThreat Intelligence

1
Wiz
CVE-2026-3634 Impact, Exploitability, and Mitigation Steps | Wizโ†—
โ–ถ