Cyber Resilience

CVE-2026-3099

MediumPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0046 64.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3099 is a medium-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3099, published on 2026-03-12, is a vulnerability in Libsoup, specifically in the server-side digest authentication implementation of the SoupAuthDomainDigest class. The flaw results from the component not properly tracking issued nonces or enforcing the required incrementing nonce-count (nc) attribute, as defined in CWE-323. This affects Libsoup's handling of HTTP digest authentication on the server side.

A remote attacker with no privileges can exploit this vulnerability by capturing a single valid authentication header from a legitimate user and replaying it repeatedly. Successful exploitation bypasses authentication mechanisms, enabling unauthorized access to protected resources and allowing the attacker to impersonate the legitimate user. The attack requires network access, high complexity, and user interaction, with a CVSS v3.1 base score of 5.8 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L).

Mitigation guidance and patches are detailed in related advisories, including Red Hat's security bulletin at https://access.redhat.com/security/cve/CVE-2026-3099, Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2442232, and GNOME's Libsoup GitLab issue at https://gitlab.gnome.org/GNOME/libsoup/-/issues/495.

EU & UK References

Vulnerability details

A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid…

more

authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The server-side nonce handling flaw in HTTP digest auth directly enables replay-based bypass for unauthorized access to a network-exposed application (T1190) and abuse of captured valid account authentication material without the original password (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4271Same product: Gnome Libsoup
CVE-2026-5119Same product: Gnome Libsoup
CVE-2026-2436Same product: Gnome Libsoup
CVE-2025-14087Same product: Redhat Enterprise Linux
CVE-2026-5201Same product: Redhat Enterprise Linux
CVE-2026-9064Same product: Redhat Enterprise Linux
CVE-2026-4480Same product: Redhat Enterprise Linux
CVE-2026-33845Same product: Redhat Enterprise Linux
CVE-2025-32988Same product: Redhat Enterprise Linux
CVE-2026-3559Shared CWE-323

Affected Assets

gnome
libsoup
all versions
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of session authenticity, which mandates replay protection mechanisms such as proper nonce tracking and nc enforcement in digest authentication.

prevent

Requires management of authenticators to prevent reuse, directly addressing the failure to enforce unique/incrementing nonces that enables replay of captured headers.

prevent

Enforces approved authorizations for access; proper implementation would reject replayed credentials that bypass the intended digest authentication checks.

References