CVE-2026-3633
Publication date 17 March 2026
Last updated 25 March 2026
Ubuntu priority
Description
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libsoup2.4 | 25.10 questing |
Vulnerable, fix deferred
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| libsoup3 | 25.10 questing |
Vulnerable, fix deferred
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.9 · Low
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | High |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L |