CVE-2026-3634 LOW

CVE-2026-3634: Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-93 · CRLF injection
Published March 17, 2026
Last update March 19, 2026

CVSS base score

3.9/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 19, 2026 Record updated