DEBIAN-CVE-2026-1801
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-1801
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1801.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-1801
- Upstream
- Published
- 2026-02-03T21:16:12.390Z
- Modified
- 2026-03-27T10:02:48.689542Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soupfilterinputstreamread_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.
- References
Affected packages
Debian:11
libsoup2.4
Package
- Name
- libsoup2.4
- Purl
- pkg:deb/debian/libsoup2.4?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.72.0-2
2.72.0-2+deb11u1
2.72.0-2+deb11u2
2.72.0-2+deb11u3
2.72.0-3
2.72.0-4
2.74.0-1
2.74.0-2
2.74.0-3
2.74.1-1
2.74.2-1
2.74.2-2
2.74.2-3
2.74.3-1
2.74.3-2
2.74.3-3
2.74.3-3.1~exp1
2.74.3-3.1~exp2
2.74.3-3.1~exp3
2.74.3-5
2.74.3-6
2.74.3-7
2.74.3-8
2.74.3-8.1
2.74.3-9
2.74.3-10
2.74.3-10.1
2.74.3-11
Debian:12
libsoup2.4
Package
- Name
- libsoup2.4
- Purl
- pkg:deb/debian/libsoup2.4?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
libsoup3
Package
- Name
- libsoup3
- Purl
- pkg:deb/debian/libsoup3?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.2.2-2
3.2.3-0+deb12u1
3.2.3-0+deb12u2
3.3.1-1
3.4.0-1
3.4.1-1
3.4.2-1
3.4.2-2
3.4.2-3
3.4.2-4
3.4.3-1
3.4.4-1
3.4.4-2
3.4.4-3
3.4.4-4
3.4.4-5
3.5.2-1
3.6.0-1
3.6.0-2
3.6.0-3
3.6.0-4
3.6.1-1
3.6.4-1
3.6.4-2
3.6.4-3
3.6.5-1
3.6.5-2
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7
3.6.5-8
3.6.5-9
3.6.6-1