CVE-2026-1801
EUVD-2026-517603.02.2026, 21:16
A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| gnome | libsoup | - |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| libsoup-2_4-1 |
| ||||||||||
| libsoup-3_0-0 |
| ||||||||||
| libsoup-devel |
| ||||||||||
| libsoup-lang |
| ||||||||||
| libsoup2-devel |
| ||||||||||
| libsoup2-lang |
| ||||||||||
| typelib-1_0-Soup-2_4 |
| ||||||||||
| typelib-1_0-Soup-3_0 |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| libsoup |
| ||
| libsoup-debuginfo |
| ||
| libsoup-debugsource |
| ||
| libsoup-devel |
| ||
| libsoup-doc |
| ||
| libsoup3 |
| ||
| libsoup3-debuginfo |
| ||
| libsoup3-debugsource |
| ||
| libsoup3-devel |
| ||
| libsoup3-doc |
|
Azure Linux Releases