Cyber Resilience

CVE-2026-3632

LowPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 3.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0013 31.9th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3632 is a low-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 3.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this…

more

to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote HTTP request smuggling via unsanitized headers directly enables exploitation of public-facing web apps (T1190); SSRF outcome is secondary and low-impact per description.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

gnome
libsoup
all versions
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References