Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames — CVE-2026-3632

Summary

Advisory CVE-2026-3632. Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames Vendor: Microsoft. Source: MSRC. Threat: low. CVSS 3.9. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• Libsoup: libsoup: header and http request injection via crlf injection CVE-2026-3633
• Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header CVE-2026-3634
• Mariner CVE-2026-32778
• FileInfo can escape from a Root in os CVE-2026-27139
• gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response CVE-2026-4437
• gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames CVE-2026-4438
• net: add xmit recursion limit to tunnel xmit functions CVE-2026-23276
• net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit CVE-2026-23277
• netfilter: nf_tables: always walk all pending catchall elements CVE-2026-23278
• netfilter: nf_tables: unconditionally bump set->nelems before insertion CVE-2026-23272
• netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels CVE-2026-23274
• perf: Fix __perf_event_overflow() vs perf_remove_from_context() race CVE-2026-23271