Skip to main content

Ubuntu CVE-2026-3633

| EUVD-2026-12560 LOW
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-03-17 redhat
Code Injection Debian Ubuntu
3.9
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 11:57 euvd
EUVD-2026-12560
Analysis Generated
Mar 17, 2026 - 11:57 vuln.today
CVE Published
Mar 17, 2026 - 09:44 nvd
LOW 3.9

DescriptionNVD

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soup_message_new() function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

AnalysisAI

A security vulnerability in A flaw (CVSS 3.9). Remediation should follow standard vulnerability management procedures.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47269 HIGH
7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
CVE-2026-47271 MEDIUM
5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str
CVE-2026-45898
May 27

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
CVE-2026-45924
May 27

In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on s
CVE-2026-45965
May 27

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_

Vendor StatusVendor

Ubuntu

Priority: Medium
libsoup2.4
Release Status Version
upstream needs-triage -
bionic deferred 2026-03-11
focal deferred 2026-03-11
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11
xenial deferred 2026-03-11
libsoup3
Release Status Version
upstream needs-triage -
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11

Debian

Bug #1130500
libsoup2.4
Release Status Fixed Version Urgency
bullseye vulnerable 2.72.0-2 -
bullseye (security) vulnerable 2.72.0-2+deb11u3 -
bookworm vulnerable 2.74.3-1+deb12u1 -
trixie vulnerable 2.74.3-10.1 -
(unstable) fixed (unfixed) -
libsoup3
Release Status Fixed Version Urgency
bookworm vulnerable 3.2.3-0+deb12u2 -
trixie vulnerable 3.6.5-3 -
forky, sid vulnerable 3.6.6-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-3633 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy