Skip to main content
CVE Vulnerability Database

CVE-2026-1801: Gnome Libsoup Information Disclosure Flaw

CVE-2026-1801 is an information disclosure vulnerability in Gnome Libsoup caused by HTTP request smuggling through malformed chunk headers. Attackers can exploit this remotely without authentication. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-1801 Overview

CVE-2026-1801 is an HTTP Request Smuggling vulnerability [CWE-444] in libsoup, the GNOME project's HTTP client/server library. The flaw resides in the soup_filter_input_stream_read_line() parsing logic, which accepts malformed chunk headers that violate RFC requirements. Specifically, libsoup accepts a lone line feed (LF) character where the HTTP specification mandates a carriage return and line feed (CRLF) sequence. A remote attacker can exploit this without authentication or user interaction by sending crafted chunked-transfer requests. The non-compliant parsing causes libsoup to interpret multiple HTTP requests from a single network message, enabling request smuggling that can lead to information disclosure.

Critical Impact

Unauthenticated remote attackers can smuggle HTTP requests through libsoup-based servers and proxies, bypassing front-end security controls and exposing sensitive data.

Affected Products

  • GNOME libsoup (all versions prior to fix)
  • Red Hat Enterprise Linux 6, 7, 8, 9, and 10
  • Applications and services that embed libsoup for HTTP processing

Discovery Timeline

  • 2026-02-03 - CVE-2026-1801 published to the National Vulnerability Database
  • 2026-03-26 - CVE record last updated in NVD

Technical Details for CVE-2026-1801

Vulnerability Analysis

The vulnerability is an HTTP Request Smuggling flaw classified under [CWE-444] (Inconsistent Interpretation of HTTP Requests). HTTP Request Smuggling occurs when two HTTP processors in a chain, typically a front-end proxy and a back-end server, disagree on where one request ends and the next begins. libsoup deviates from RFC 9112 by accepting chunk-size lines terminated with a single LF byte rather than the required CRLF sequence. Attackers leverage this discrepancy when libsoup sits behind or in front of a stricter HTTP parser. The attacker crafts a payload that the strict parser treats as one request while libsoup splits it into two. The smuggled second request can then bypass authentication, poison caches, or extract data intended for other users.

Root Cause

The root cause is non-RFC-compliant line termination handling inside the soup_filter_input_stream_read_line() function. The routine treats a bare LF as a valid line terminator when parsing chunked transfer-encoding headers. RFC 9112 Section 7.1 requires chunk-size [chunk-ext] CRLF framing, and lenient acceptance of LF-only terminators creates parser desynchronization opportunities.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a single TCP payload containing a chunked request whose chunk-size lines end with LF instead of CRLF. When libsoup and an adjacent HTTP intermediary parse the bytes differently, the second smuggled request reaches the back-end with attacker-controlled headers and body. This enables request queue poisoning, response queue desynchronization, and theft of in-flight responses belonging to other clients. No verified public exploit is available, and the EPSS score reflects low observed exploitation activity, but the technique is well-understood and reproducible against vulnerable deployments. Refer to the GNOME Issue #481 on libsoup for technical reproduction details.

Detection Methods for CVE-2026-1801

Indicators of Compromise

  • HTTP requests containing chunk-size lines terminated with bare LF (\n) rather than CRLF (\r\n) at the network layer
  • Duplicate or overlapping Content-Length and Transfer-Encoding: chunked headers in inbound traffic
  • Unexpected response queue desynchronization, such as clients receiving responses intended for other sessions
  • Anomalous spikes in 400-class errors from libsoup-backed services following malformed chunked payloads

Detection Strategies

  • Deploy web application firewall rules that reject HTTP messages with non-CRLF chunk-size terminators
  • Enable strict HTTP parsing on upstream reverse proxies and compare framing decisions with libsoup back-ends
  • Hunt for libsoup versions across the estate by inventorying installed packages on Red Hat Enterprise Linux 6 through 10 hosts
  • Correlate access logs between front-end proxies and libsoup services to surface request count mismatches

Monitoring Recommendations

  • Log raw HTTP request bytes at proxy ingress points to detect lone-LF chunk framing attempts
  • Alert on requests that combine Transfer-Encoding: chunked with abnormal whitespace or terminator patterns
  • Monitor libsoup-based application logs for parser errors, partial request consumption, and unexpected pipelining

How to Mitigate CVE-2026-1801

Immediate Actions Required

  • Inventory all systems running libsoup or applications that depend on it, including GNOME desktop components and server-side consumers
  • Apply vendor-supplied libsoup updates from the Red Hat CVE-2026-1801 Advisory as soon as packages are available
  • Place a strict HTTP/1.1 parser in front of libsoup-based services to normalize or reject malformed chunked encodings
  • Restart all services that link against libsoup after patching to ensure the updated library is loaded

Patch Information

Red Hat is tracking the issue in Red Hat Bug Report #2436315 and is coordinating package updates across Red Hat Enterprise Linux 6, 7, 8, 9, and 10. The upstream fix is tracked in GNOME Issue #481 on libsoup and corrects soup_filter_input_stream_read_line() to require CRLF terminators in chunked headers. Administrators should consult their distribution's errata for fixed package versions.

Workarounds

  • Front libsoup services with a hardened reverse proxy such as one configured to enforce strict RFC 9112 chunk framing
  • Disable HTTP keep-alive and connection reuse on affected services to limit smuggling impact where patching is delayed
  • Restrict network exposure of libsoup-based services to trusted clients until updates are deployed
  • Drop requests containing Transfer-Encoding: chunked at perimeter devices for services that do not require chunked uploads

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.