CVE-2026-3633

ℹ️ low

Summary

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

CVSS Score

3.9

Low

EPSS Score

0.0

Exploit Probability

Published Date

2026-03-17

First Seen: 2026-03-18

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 4.3% of all 318,332 vulnerabilities in our database.

#304,519

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Mar 17, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

Red Hat would like to thank Codean Labs for reporting this issue.

SSVC data provided by CISA

Last Modified 2026-03-19

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE IDs (Weakness Types)

CWE-93

📦 Affected Products 6

Vendor	Product	Status	Affected Versions
redhat	enterprise_linux	Affected	v10.0
redhat	enterprise_linux	Affected	v6.0
redhat	enterprise_linux	Affected	v7.0
redhat	enterprise_linux	Affected	v8.0
redhat	enterprise_linux	Affected	v9.0
gnome	libsoup	Affected	v-

🔗 References 3

https://access.redhat.com/security/cve/CVE-2026-3633

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2445128

Issue Tracking Vendor Advisory

https://gitlab.gnome.org/GNOME/libsoup/-/issues/484

Exploit Issue Tracking Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-4647	🔶 medium	6.1	0.0	A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files...	2026-03-23
CVE-2026-3632	ℹ️ low	3.9	0.1	A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because ...	2026-03-17
CVE-2026-3634	ℹ️ low	3.9	0.0	A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage...	2026-03-17
CVE-2026-4271	🔶 medium	5.3	1.0	A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs...	2026-03-17
CVE-2026-3441	🔶 medium	6.1	0.0	A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in t...	2026-03-16
CVE-2026-3442	🔶 medium	6.1	0.0	A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, ...	2026-03-16

These CVEs affect the same products