Vulnerability-Lookup

MSRC_CVE-2026-3632

Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-31 15:07

Summary

Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-3632

3.9 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE-1286 - Improper Validation of Syntactic Correctness of Input

None Available There is no fix available for this vulnerability as of now

References

URL

Category

	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
	https://support.microsoft.com/lifecycle	external
	https://www.first.org/cvss	external
	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-3632 Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-3632.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames",
    "tracking": {
      "current_release_date": "2026-03-31T15:07:34.000Z",
      "generator": {
        "date": "2026-04-01T07:38:22.467Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-3632",
      "initial_release_date": "2026-03-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-03-21T01:02:34.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-03-31T15:07:34.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 libsoup 3.4.4-12",
                "product": {
                  "name": "azl3 libsoup 3.4.4-12",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 libsoup 3.0.4-12",
                "product": {
                  "name": "cbl2 libsoup 3.0.4-12",
                  "product_id": "4"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 libsoup 3.4.4-14",
                "product": {
                  "name": "azl3 libsoup 3.4.4-14",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 libsoup 3.0.4-13",
                "product": {
                  "name": "cbl2 libsoup 3.0.4-13",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "libsoup"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 libsoup 3.4.4-12 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 libsoup 3.0.4-12 as a component of CBL Mariner 2.0",
          "product_id": "17086-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 libsoup 3.4.4-14 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 libsoup 3.0.4-13 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3632",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "notes": [
        {
          "category": "general",
          "text": "redhat",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-3",
          "17086-4",
          "17084-2",
          "17086-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-3632 Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-3632.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-03-21T01:02:34.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-03-21T01:02:34.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-4"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-03-21T01:02:34.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-03-21T01:02:34.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 3.9,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "17084-3",
            "17086-4",
            "17084-2",
            "17086-1"
          ]
        }
      ],
      "title": "Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames"
    }
  ]
}

CVE-2026-3632 (GCVE-0-2026-3632)

Vulnerability from cvelistv5 – Published: 2026-03-17 09:44 – Updated: 2026-03-19 20:56

Title

Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames

Summary

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

Severity ?

3.9 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/security/cve/CVE-2026-3632	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2445127	issue-trackingx_refsource_REDHAT
	https://gitlab.gnome.org/GNOME/libsoup/-/issues/483

Impacted products

Vendor

Product

Version

Red Hat

Red Hat Enterprise Linux 10

cpe:/o:redhat:enterprise_linux:10

Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9

Date Public ?

2026-03-06 05:05

Credits

Red Hat would like to thank Codean Labs for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3632",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T13:01:56.752811Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T13:02:07.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup3",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Codean Labs for reporting this issue."
        }
      ],
      "datePublic": "2026-03-06T05:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1286",
              "description": "Improper Validation of Syntactic Correctness of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T20:56:56.070Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-3632"
        },
        {
          "name": "RHBZ#2445127",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445127"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/483"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T07:43:20.255Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-03-06T05:05:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-1286: Improper Validation of Syntactic Correctness of Input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-3632",
    "datePublished": "2026-03-17T09:44:19.758Z",
    "dateReserved": "2026-03-06T07:51:17.978Z",
    "dateUpdated": "2026-03-19T20:56:56.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2026-3632

CVE-2026-3632 (GCVE-0-2026-3632)

Tags

Sightings

Nomenclature