CVE-2026-1536

EUVD-2026-4887

28.01.2026, 16:16

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

CRLF Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
gnome	libsoup	-
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libsoup2.4

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
trixie	no-dsa

libsoup3

bookworm	no-dsa
forky	3.6.6-1 fixed
sid	3.6.6-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

libsoup2.4

bionic	needed
focal	needed
jammy	needed
noble	needed
questing	needed
resolute	needed
xenial	needed

libsoup3

jammy	Fixed 3.0.7-0ubuntu1+esm7 released
noble	Fixed 3.4.4-5ubuntu0.7 released
questing	Fixed 3.6.5-4ubuntu0.2 released
resolute	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

libsoup-3_0-0

suse enterprise desktop 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise sap 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP6	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP7	3.4.4-150600.3.31.1 fixed

libsoup-devel

suse enterprise desktop 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise sap 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP6	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP7	3.4.4-150600.3.31.1 fixed

libsoup-lang

suse enterprise desktop 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise sap 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP6	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP7	3.4.4-150600.3.31.1 fixed

typelib-1_0-Soup-3_0

suse enterprise desktop 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise sap 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise sap 15 SP7	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP4	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP5	3.0.4-150400.3.31.1 fixed
suse enterprise server 15 SP6	3.4.4-150600.3.31.1 fixed
suse enterprise server 15 SP7	3.4.4-150600.3.31.1 fixed

Known Exploits!

https://gitlab.gnome.org/GNOME/libsoup/-/issues/486

Common Weakness Enumeration

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

https://access.redhat.com/security/cve/CVE-2026-1536

https://bugzilla.redhat.com/show_bug.cgi?id=2433834

https://gitlab.gnome.org/GNOME/libsoup/-/issues/486