CVE-2026-1536: Gnome Libsoup HTTP Header Injection Flaw

CVE-2026-1536 Overview

A flaw in libsoup, the GNOME HTTP client/server library, allows attackers to inject Carriage Return Line Feed (CRLF) sequences through the Content-Disposition header. When an attacker controls input passed to this header, the library writes those sequences verbatim into the constructed HTTP message. This behavior enables HTTP header injection and HTTP response splitting against applications that rely on libsoup for HTTP processing. The vulnerability requires no authentication and no user interaction, and is reachable over the network. The flaw is tracked under [CWE-93] (Improper Neutralization of CRLF Sequences) and affects multiple Red Hat Enterprise Linux releases that ship libsoup.

Critical Impact

Unauthenticated remote attackers can inject arbitrary HTTP headers or split responses by smuggling CRLF sequences into the Content-Disposition header, enabling cache poisoning, session fixation, and downstream proxy desynchronization.

Affected Products

• GNOME libsoup (upstream)
• Red Hat Enterprise Linux 6, 7, 8, 9, 10
• Applications linking against vulnerable libsoup builds

Discovery Timeline

• 2026-01-28 - CVE-2026-1536 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-1536

Vulnerability Analysis

The vulnerability is an HTTP header injection issue in libsoup's handling of the Content-Disposition header. libsoup constructs HTTP messages by concatenating caller-supplied values into the header section without validating that those values are free of CRLF (\r\n) byte sequences. When attacker-controlled content reaches the Content-Disposition field, the embedded CRLF terminates the current header line and begins a new one inside the same HTTP message.

Downstream parsers, including intermediary proxies and browsers, treat the injected bytes as legitimate header fields or as the boundary between headers and body. This permits HTTP response splitting on the server side and request header injection on the client side. The vulnerability impacts integrity rather than confidentiality, but can be chained with cache poisoning, open redirect, or cross-site scripting primitives in consuming applications.

Root Cause

The root cause is missing neutralization of CRLF metacharacters in header value construction within libsoup. The library trusts that callers sanitize input, but many GNOME and Red Hat ecosystem applications pass filenames or user-controlled strings directly into Content-Disposition without filtering \r or \n bytes.

Attack Vector

An attacker supplies a crafted filename or attachment parameter containing %0d%0a sequences. When the application sets this value via libsoup's message API, the library serializes the raw bytes into the wire format. A representative payload structure is attachment; filename="file.txt\r\nSet-Cookie: session=attacker\r\n\r\n<injected body>", which causes the response to be parsed as two HTTP messages by an upstream cache or proxy. No authentication is required, and exploitation succeeds against any application that forwards untrusted input into the affected header.

No public proof-of-concept exploit is currently available. For technical details, see the GNOME libsoup Issue #486 and the Red Hat CVE-2026-1536 Advisory.

Detection Methods for CVE-2026-1536

Indicators of Compromise

• HTTP requests or responses containing raw \r\n byte sequences inside Content-Disposition header values.
• Unexpected Set-Cookie, Location, or Content-Length headers appearing immediately after a Content-Disposition line in proxy or web server logs.
• Cache entries serving two response bodies for a single requested resource, suggesting successful response splitting.

Detection Strategies

• Inspect web server, reverse proxy, and WAF logs for URL-encoded %0d%0a or literal CRLF bytes in download filenames or attachment parameters.
• Run dependency scanners against installed packages to flag libsoup versions referenced in the Red Hat CVE-2026-1536 Advisory.
• Add WAF rules that reject header values containing control characters between 0x00 and 0x1F, excluding tab.

Monitoring Recommendations

• Alert on outbound HTTP traffic from libsoup-based clients (such as Evolution, GNOME Web, and Flatpak tooling) that includes anomalous multi-line headers.
• Continuously inventory hosts running affected Red Hat Enterprise Linux 6 through 10 builds and prioritize patching internet-facing systems.

How to Mitigate CVE-2026-1536

Immediate Actions Required

• Apply vendor-supplied libsoup updates from the Red Hat CVE-2026-1536 Advisory as soon as packages are available for each affected Red Hat Enterprise Linux release.
• Audit application code that calls soup_message_headers_append or sets Content-Disposition from user input, and add CRLF stripping at the application layer.
• Restart long-running services and desktop sessions that load libsoup into memory after upgrading the shared library.

Patch Information

Fixes are tracked upstream in GNOME libsoup Issue #486 and downstream in Red Hat Bug Report #2433834. Consult the Red Hat advisory for the specific errata package versions corresponding to each supported Red Hat Enterprise Linux release.

Workarounds

• Sanitize all values destined for Content-Disposition at the application boundary by rejecting or stripping \r and \n bytes before invoking libsoup APIs.
• Deploy a reverse proxy or WAF rule that drops HTTP messages containing CRLF sequences inside header values for headers other than well-known multi-line fields.
• Restrict network exposure of services built on libsoup until patched packages are deployed across the fleet.