CVE-2026-6324 Overview
CVE-2026-6324 is an HTTP request smuggling vulnerability in libsoup, the GNOME HTTP client/server library. The flaw resides in the soup_body_input_stream_read_chunked() function, where an unsigned to signed integer conversion error allows a remote attacker to send a malicious HTTP request that is parsed inconsistently. The issue surfaces when libsoup operates behind a non-libsoup proxy or acts as a proxy in front of a non-libsoup backend. Successful exploitation can bypass security controls, poison web caches, or grant unauthorized access to backend resources. The vulnerability is tracked under CWE-444: Inconsistent Interpretation of HTTP Requests.
Critical Impact
Remote attackers can smuggle HTTP requests through proxy-backend chains involving libsoup, enabling cache poisoning, security control bypass, and unauthorized access to protected backend endpoints.
Affected Products
- GNOME libsoup HTTP library (chunked transfer parsing path)
- Applications and services embedding vulnerable libsoup versions
- Deployments where libsoup is paired with a non-libsoup proxy or backend
Discovery Timeline
- 2026-05-29 - CVE-2026-6324 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-6324
Vulnerability Analysis
The vulnerability is a numeric conversion flaw in libsoup's chunked transfer-encoding parser. When soup_body_input_stream_read_chunked() processes a chunk size value, an unsigned integer is converted to a signed integer without proper bounds validation. An attacker can craft chunk size fields that, after conversion, are interpreted differently by libsoup than by an upstream or downstream HTTP intermediary.
This disagreement between two HTTP parsers is the foundation of HTTP request smuggling. One endpoint treats the boundary between requests at one offset, while the other places it elsewhere. The attacker uses this gap to inject a second request that the intermediary cannot see. The attack requires a proxy-backend configuration with at least one non-libsoup peer, which raises exploitation complexity.
Root Cause
The defect originates in chunked body parsing logic inside soup_body_input_stream_read_chunked(). Chunk lengths supplied by the client are read as unsigned values but then assigned to a signed type used for length tracking and buffer management. Specially crafted large or negative-appearing values change parser behavior, causing libsoup to terminate or extend a chunk differently than RFC 9112 compliant peers. Inconsistent boundary calculation produces the smuggling primitive [CWE-444].
Attack Vector
Exploitation requires network access to a deployment that proxies HTTP traffic through libsoup alongside a non-libsoup peer. The attacker submits a crafted HTTP request with manipulated Transfer-Encoding: chunked data. The front-end and back-end parse the request body to different lengths, leaving a smuggled request queued on the backend connection. The smuggled request can target privileged endpoints, poison shared caches, or hijack responses destined for other users.
No verified public exploit code is available. See the Red Hat CVE Advisory and the GNOME Issue Report for upstream technical details.
Detection Methods for CVE-2026-6324
Indicators of Compromise
- HTTP requests containing malformed or oversized chunk-size fields in Transfer-Encoding: chunked bodies.
- Requests where Content-Length and Transfer-Encoding headers disagree or both appear in the same message.
- Unexpected backend log entries showing requests with no corresponding front-end proxy log.
- Cache entries returning content that does not match the requested URL or host.
Detection Strategies
- Inspect HTTP parser logs from front-end and back-end nodes for length-mismatch warnings on chunked transfers.
- Deploy a web application firewall rule that rejects requests carrying both Content-Length and Transfer-Encoding headers.
- Run differential parsing tests between libsoup and the paired proxy or backend using known smuggling payloads.
Monitoring Recommendations
- Correlate request identifiers across proxy and origin logs to find orphaned or duplicated requests.
- Track sudden spikes in 400-class responses on chunked POST and PUT traffic.
- Monitor cache hit ratios and content-type mismatches for evidence of cache poisoning.
How to Mitigate CVE-2026-6324
Immediate Actions Required
- Inventory all systems and applications that link against libsoup and identify proxy or gateway roles.
- Apply the upstream libsoup security update from your Linux distribution as soon as it is published.
- Disable chunked transfer support on intermediaries where it is not required by application traffic.
Patch Information
Patches are tracked upstream in the GNOME Issue Report and the GNOME Work Item. Distribution-specific fixes are coordinated through the Red Hat Bug Report. Upgrade libsoup to the fixed version provided by your vendor and restart services that load the library.
Workarounds
- Normalize HTTP requests at the perimeter by stripping conflicting Transfer-Encoding and Content-Length header combinations.
- Configure proxies to reject requests with malformed chunk size encodings before they reach libsoup.
- Where feasible, route traffic so that both proxy and backend use the same HTTP parser implementation, eliminating the parser disagreement.
# Example: drop requests carrying both Transfer-Encoding and Content-Length at NGINX
if ($http_transfer_encoding ~* "chunked") {
set $smuggle_check "TE";
}
if ($http_content_length) {
set $smuggle_check "${smuggle_check}_CL";
}
if ($smuggle_check = "TE_CL") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
