Bug 2435951 (CVE-2026-1760)

Summary: CVE-2026-1760 libsoup: SoupServer: Denial of Service via HTTP request smuggling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2435953, 2435954, 2435955    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-02 12:30:03 UTC 
HTTP request smuggling vulnerability in SoupServer due to improper handling of requests containing Transfer-Encoding: chunked combined with Connection: keep-alive. Although SoupServer correctly ignores the Content-Length header, it fails to close the connection after responding, in violation of RFC 9112. This allows remaining chunked data to be processed as a subsequent HTTP request. A remote, unauthenticated client can exploit this behavior to smuggle additional requests over a persistent connection, leading to unintended request processing and potential denial-of-service conditions.