Cyber Posture

CVE-2026-3099

MediumPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0054 67.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3099 is a medium-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The server-side nonce handling flaw in HTTP digest auth directly enables replay-based bypass for unauthorized access to a network-exposed application (T1190) and abuse of captured valid account authentication material without the original password (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid…

more

authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.

Deeper analysisAI

CVE-2026-3099, published on 2026-03-12, is a vulnerability in Libsoup, specifically in the server-side digest authentication implementation of the SoupAuthDomainDigest class. The flaw results from the component not properly tracking issued nonces or enforcing the required incrementing nonce-count (nc) attribute, as defined in CWE-323. This affects Libsoup's handling of HTTP digest authentication on the server side.

A remote attacker with no privileges can exploit this vulnerability by capturing a single valid authentication header from a legitimate user and replaying it repeatedly. Successful exploitation bypasses authentication mechanisms, enabling unauthorized access to protected resources and allowing the attacker to impersonate the legitimate user. The attack requires network access, high complexity, and user interaction, with a CVSS v3.1 base score of 5.8 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L).

Mitigation guidance and patches are detailed in related advisories, including Red Hat's security bulletin at https://access.redhat.com/security/cve/CVE-2026-3099, Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2442232, and GNOME's Libsoup GitLab issue at https://gitlab.gnome.org/GNOME/libsoup/-/issues/495.

Details

CWE(s)
CWE-323

Affected Products

gnome
libsoup
all versions
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

CVEs Like This One

CVE-2026-5119Same product: Gnome Libsoup
CVE-2026-4271Same product: Gnome Libsoup
CVE-2026-2436Same product: Gnome Libsoup
CVE-2025-14087Same product: Redhat Enterprise Linux
CVE-2026-5201Same product: Redhat Enterprise Linux
CVE-2025-32988Same product: Redhat Enterprise Linux
CVE-2026-33845Same product: Redhat Enterprise Linux
CVE-2026-28368Same product: Redhat Enterprise Linux
CVE-2026-28369Same product: Redhat Enterprise Linux
CVE-2026-3009Same vendor: Redhat

References