DEBIAN-CVE-2026-2708

DEBIAN-CVE-2026-2708 PUBLISHED CVSS 5.300000190734863 MEDIUM

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:11	libsoup2.4	2.74.1-1, 2.74.3-8.1, 2.74.3-8
Debian:13	libsoup2.4	2.74.3-11, 2.74.3-10.1, 0
Debian:14	libsoup3	3.6.5-4, 3.6.5-3, 0
Debian:12	libsoup2.4	2.74.3-1, 2.74.3-1, 2.74.3-1+deb12u1
Debian:12	libsoup3	3.2.3-0, 3.2.2-2, 0
Debian:13	libsoup3	3.6.5-5, 3.6.5-6, 3.6.5-7

Timeline

Apr 23, 2026 CVE Published
May 5, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-2708 advisory

Open in Interactive Console →