CVE-2026-1801 Overview
CVE-2026-1801 is an HTTP Request Smuggling vulnerability [CWE-444] in libsoup, the GNOME project's HTTP client/server library. The flaw resides in the soup_filter_input_stream_read_line() parsing logic, which accepts malformed chunk headers that violate RFC requirements. Specifically, libsoup accepts a lone line feed (LF) character where the HTTP specification mandates a carriage return and line feed (CRLF) sequence. A remote attacker can exploit this without authentication or user interaction by sending crafted chunked-transfer requests. The non-compliant parsing causes libsoup to interpret multiple HTTP requests from a single network message, enabling request smuggling that can lead to information disclosure.
Critical Impact
Unauthenticated remote attackers can smuggle HTTP requests through libsoup-based servers and proxies, bypassing front-end security controls and exposing sensitive data.
Affected Products
- GNOME libsoup (all versions prior to fix)
- Red Hat Enterprise Linux 6, 7, 8, 9, and 10
- Applications and services that embed libsoup for HTTP processing
Discovery Timeline
- 2026-02-03 - CVE-2026-1801 published to the National Vulnerability Database
- 2026-03-26 - CVE record last updated in NVD
Technical Details for CVE-2026-1801
Vulnerability Analysis
The vulnerability is an HTTP Request Smuggling flaw classified under [CWE-444] (Inconsistent Interpretation of HTTP Requests). HTTP Request Smuggling occurs when two HTTP processors in a chain, typically a front-end proxy and a back-end server, disagree on where one request ends and the next begins. libsoup deviates from RFC 9112 by accepting chunk-size lines terminated with a single LF byte rather than the required CRLF sequence. Attackers leverage this discrepancy when libsoup sits behind or in front of a stricter HTTP parser. The attacker crafts a payload that the strict parser treats as one request while libsoup splits it into two. The smuggled second request can then bypass authentication, poison caches, or extract data intended for other users.
Root Cause
The root cause is non-RFC-compliant line termination handling inside the soup_filter_input_stream_read_line() function. The routine treats a bare LF as a valid line terminator when parsing chunked transfer-encoding headers. RFC 9112 Section 7.1 requires chunk-size [chunk-ext] CRLF framing, and lenient acceptance of LF-only terminators creates parser desynchronization opportunities.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker submits a single TCP payload containing a chunked request whose chunk-size lines end with LF instead of CRLF. When libsoup and an adjacent HTTP intermediary parse the bytes differently, the second smuggled request reaches the back-end with attacker-controlled headers and body. This enables request queue poisoning, response queue desynchronization, and theft of in-flight responses belonging to other clients. No verified public exploit is available, and the EPSS score reflects low observed exploitation activity, but the technique is well-understood and reproducible against vulnerable deployments. Refer to the GNOME Issue #481 on libsoup for technical reproduction details.
Detection Methods for CVE-2026-1801
Indicators of Compromise
- HTTP requests containing chunk-size lines terminated with bare LF (\n) rather than CRLF (\r\n) at the network layer
- Duplicate or overlapping Content-Length and Transfer-Encoding: chunked headers in inbound traffic
- Unexpected response queue desynchronization, such as clients receiving responses intended for other sessions
- Anomalous spikes in 400-class errors from libsoup-backed services following malformed chunked payloads
Detection Strategies
- Deploy web application firewall rules that reject HTTP messages with non-CRLF chunk-size terminators
- Enable strict HTTP parsing on upstream reverse proxies and compare framing decisions with libsoup back-ends
- Hunt for libsoup versions across the estate by inventorying installed packages on Red Hat Enterprise Linux 6 through 10 hosts
- Correlate access logs between front-end proxies and libsoup services to surface request count mismatches
Monitoring Recommendations
- Log raw HTTP request bytes at proxy ingress points to detect lone-LF chunk framing attempts
- Alert on requests that combine Transfer-Encoding: chunked with abnormal whitespace or terminator patterns
- Monitor libsoup-based application logs for parser errors, partial request consumption, and unexpected pipelining
How to Mitigate CVE-2026-1801
Immediate Actions Required
- Inventory all systems running libsoup or applications that depend on it, including GNOME desktop components and server-side consumers
- Apply vendor-supplied libsoup updates from the Red Hat CVE-2026-1801 Advisory as soon as packages are available
- Place a strict HTTP/1.1 parser in front of libsoup-based services to normalize or reject malformed chunked encodings
- Restart all services that link against libsoup after patching to ensure the updated library is loaded
Patch Information
Red Hat is tracking the issue in Red Hat Bug Report #2436315 and is coordinating package updates across Red Hat Enterprise Linux 6, 7, 8, 9, and 10. The upstream fix is tracked in GNOME Issue #481 on libsoup and corrects soup_filter_input_stream_read_line() to require CRLF terminators in chunked headers. Administrators should consult their distribution's errata for fixed package versions.
Workarounds
- Front libsoup services with a hardened reverse proxy such as one configured to enforce strict RFC 9112 chunk framing
- Disable HTTP keep-alive and connection reuse on affected services to limit smuggling impact where patching is delayed
- Restrict network exposure of libsoup-based services to trusted clients until updates are deployed
- Drop requests containing Transfer-Encoding: chunked at perimeter devices for services that do not require chunked uploads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

