Skip to main content

Ubuntu CVE-2026-3634

| EUVD-2026-12561 LOW
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-03-17 redhat
Code Injection Debian Ubuntu
3.9
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 11:57 euvd
EUVD-2026-12561
Analysis Generated
Mar 17, 2026 - 11:57 vuln.today
CVE Published
Mar 17, 2026 - 09:44 nvd
LOW 3.9

DescriptionNVD

A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the soup_message_headers_set_content_type() function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.

AnalysisAI

A security vulnerability in A flaw (CVSS 3.9). Remediation should follow standard vulnerability management procedures.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47269 HIGH
7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
CVE-2026-47271 MEDIUM
5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str
CVE-2026-45898
May 27

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
CVE-2026-45924
May 27

In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on s
CVE-2026-45965
May 27

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_

Vendor StatusVendor

Ubuntu

Priority: Medium
libsoup2.4
Release Status Version
upstream needs-triage -
bionic deferred 2026-03-11
focal deferred 2026-03-11
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11
xenial deferred 2026-03-11
libsoup3
Release Status Version
upstream needs-triage -
jammy deferred 2026-03-11
noble deferred 2026-03-11
questing deferred 2026-03-11

Debian

Bug #1130501
libsoup2.4
Release Status Fixed Version Urgency
bullseye vulnerable 2.72.0-2 -
bullseye (security) vulnerable 2.72.0-2+deb11u3 -
bookworm vulnerable 2.74.3-1+deb12u1 -
trixie vulnerable 2.74.3-10.1 -
(unstable) fixed (unfixed) -
libsoup3
Release Status Fixed Version Urgency
bookworm vulnerable 3.2.3-0+deb12u2 -
trixie vulnerable 3.6.5-3 -
forky, sid vulnerable 3.6.6-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-3634 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy