CVE-2026-3634

ℹ️ low

Summary

A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.

CVSS Score

3.9

Low

EPSS Score

0.0

Exploit Probability

Published Date

2026-03-17

First Seen: 2026-03-18

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 4.3% of all 318,332 vulnerabilities in our database.

#304,519

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Mar 17, 2026

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

Red Hat would like to thank Codean Labs for reporting this issue.

SSVC data provided by CISA

Last Modified 2026-03-19

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE IDs (Weakness Types)

CWE-93

📦 Affected Products 6

Vendor	Product	Status	Affected Versions
redhat	enterprise_linux	Affected	v10.0
redhat	enterprise_linux	Affected	v6.0
redhat	enterprise_linux	Affected	v7.0
redhat	enterprise_linux	Affected	v8.0
redhat	enterprise_linux	Affected	v9.0
gnome	libsoup	Affected	v-

🔗 References 3

https://access.redhat.com/security/cve/CVE-2026-3634

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2445129

Issue Tracking Vendor Advisory

https://gitlab.gnome.org/GNOME/libsoup/-/issues/485

Exploit Issue Tracking Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-4647	🔶 medium	6.1	0.0	A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files...	2026-03-23
CVE-2026-3632	ℹ️ low	3.9	0.1	A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because ...	2026-03-17
CVE-2026-3633	ℹ️ low	3.9	0.0	A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function...	2026-03-17
CVE-2026-4271	🔶 medium	5.3	1.0	A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs...	2026-03-17
CVE-2026-3441	🔶 medium	6.1	0.0	A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in t...	2026-03-16
CVE-2026-3442	🔶 medium	6.1	0.0	A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, ...	2026-03-16

These CVEs affect the same products