Skip to main content

Ubuntu CVE-2026-3632

| EUVDEUVD-2026-12559 LOW
Improper Validation of Syntactic Correctness of Input (CWE-1286)
2026-03-17 redhat
3.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.9 LOW
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Ubuntu
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 11:57 euvd
EUVD-2026-12559
Analysis Generated
Mar 17, 2026 - 11:57 vuln.today
CVE Published
Mar 17, 2026 - 09:44 nvd
LOW 3.9

DescriptionCVE.org

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

AnalysisAI

A flaw was found in libsoup, a library used by applications to send network requests.

Technical ContextAI

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services.

RemediationAI

Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

Vendor StatusVendor

Ubuntu

Priority: Medium
libsoup2.4
Release Status Version
upstream needs-triage -
bionic deferred 2026-03-11
focal deferred 2026-03-11
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11
xenial deferred 2026-03-11
libsoup3
Release Status Version
upstream needs-triage -
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11

Debian

Bug #1130499
libsoup2.4
Release Status Fixed Version Urgency
bullseye vulnerable 2.72.0-2 -
bullseye (security) vulnerable 2.72.0-2+deb11u3 -
bookworm vulnerable 2.74.3-1+deb12u1 -
trixie vulnerable 2.74.3-10.1 -
(unstable) fixed (unfixed) -
libsoup3
Release Status Fixed Version Urgency
bookworm vulnerable 3.2.3-0+deb12u2 -
trixie vulnerable 3.6.5-3 -
forky, sid vulnerable 3.6.6-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-3632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy