Bug 2445129 (CVE-2026-3634)

Summary: CVE-2026-3634 libsoup: libsoup: HTTP header injection and response splitting via CRLF injection in Content-Type header
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2445148, 2445149, 2445150    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 08:00:24 UTC 
The soup_message_headers_set_content_type() function sets the Content-Type header value. Internally, it calls soup_message_headers_append_common() to add the new Content-Type value to an accumulating array.
Unlike soup_message_headers_append(), the internal soup_message_headers_append_common() function does not enforce any restrictions on the allowed characters in the header value, allowing the creation of a header whose value contains a CRLF sequence.
Later, when the HTTP request or response is constructed, the header strings are interpreted without further sanitization, resulting in the effective injection of a CRLF sequence, and hence, arbitrary header-value pairs.
A proof of concept script that showcases the issue can be found in the attachment.
CRLF_inj_in_soup_message_headers_set_content_type.c
Running this code confirms that the server on localhost:5000 receives a valid HTTP request containing the injected X-Injected-By header with the value injection.

Impact
An attacker controlling the value used to set the Content-Type header is able to perform a CRLF injection, potentially leading to header injection and response splitting.

Recommended solution
Instead of directly using the soup_message_headers_append_common() function, use the soup_message_headers_append() function in soup_message_headers_set_content_type().