CVE-2026-3099
Published: 12 March 2026
Summary
CVE-2026-3099 is a medium-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-3099, published on 2026-03-12, is a vulnerability in Libsoup, specifically in the server-side digest authentication implementation of the SoupAuthDomainDigest class. The flaw results from the component not properly tracking issued nonces or enforcing the required incrementing nonce-count (nc) attribute, as defined in CWE-323. This affects Libsoup's handling of HTTP digest authentication on the server side.
A remote attacker with no privileges can exploit this vulnerability by capturing a single valid authentication header from a legitimate user and replaying it repeatedly. Successful exploitation bypasses authentication mechanisms, enabling unauthorized access to protected resources and allowing the attacker to impersonate the legitimate user. The attack requires network access, high complexity, and user interaction, with a CVSS v3.1 base score of 5.8 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L).
Mitigation guidance and patches are detailed in related advisories, including Red Hat's security bulletin at https://access.redhat.com/security/cve/CVE-2026-3099, Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2442232, and GNOME's Libsoup GitLab issue at https://gitlab.gnome.org/GNOME/libsoup/-/issues/495.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11573
Vulnerability details
A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid…
more
authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The server-side nonce handling flaw in HTTP digest auth directly enables replay-based bypass for unauthorized access to a network-exposed application (T1190) and abuse of captured valid account authentication material without the original password (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection of session authenticity, which mandates replay protection mechanisms such as proper nonce tracking and nc enforcement in digest authentication.
Requires management of authenticators to prevent reuse, directly addressing the failure to enforce unique/incrementing nonces that enables replay of captured headers.
Enforces approved authorizations for access; proper implementation would reject replayed credentials that bypass the intended digest authentication checks.