Skip to main content

libsoup CVE-2026-6324

| EUVDEUVD-2026-33249 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-29 redhat GHSA-2637-3gxc-qg4f
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 06:43 vuln.today
CVE Published
May 29, 2026 - 05:24 nvd
MEDIUM 4.8

DescriptionCVE.org

A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the soup_body_input_stream_read_chunked() function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access.

AnalysisAI

HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the soup_body_input_stream_read_chunked() function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.

Technical ContextAI

libsoup is a GNOME HTTP client/server library widely packaged across Linux distributions, including Red Hat Enterprise Linux 6 through 10. The flaw resides in soup_body_input_stream_read_chunked(), the function responsible for parsing HTTP chunked transfer-encoding bodies. An unsigned-to-signed integer conversion error in this function creates an inconsistent interpretation of HTTP message framing boundaries - the exact root cause class identified as CWE-444 (Inconsistent Interpretation of HTTP Requests, commonly known as HTTP Request Smuggling). When libsoup disagrees with an adjacent non-libsoup proxy on where one HTTP request ends and the next begins, an attacker can exploit that desynchronization to inject a smuggled request. The CPE data (cpe:2.3:a:red_hat:red_hat_enterprise_linux_6 through red_hat_enterprise_linux_10) confirms the vulnerable libsoup packages are present across all major RHEL generations. The upstream defect is tracked at GNOME GitLab issue #508.

RemediationAI

Monitor and apply the vendor-supplied errata from Red Hat once published; the advisory is tracked at https://access.redhat.com/security/cve/CVE-2026-6324 and Bugzilla entry 2458479. No specific patched libsoup version number is confirmed in the available input data - patch availability is inferred from the existence of an upstream GitLab issue (#508) but a released fix version has not been independently verified, so treat patch status as 'upstream fix in progress' until Red Hat publishes errata. As an immediate compensating control, audit all deployments to identify where libsoup components sit in a proxy chain alongside non-libsoup intermediaries; eliminating the mixed-proxy topology removes the attack surface entirely and carries no functional downside if an alternative intermediary is available. Where topology changes are not feasible, deploying an HTTP normalization layer or WAF between the proxy boundary can reduce the ability to craft divergently interpreted chunked payloads, though this adds latency and operational overhead. Additionally, disabling HTTP response caching on affected proxy nodes until a patch is applied directly mitigates the cache poisoning impact vector.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-6324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy