CVE-2026-2708
Public on 2026-02-20
Modified on 2026-02-20
Description
libsoup includes an embedded HTTP/1 server. When a server sits behind a proxy / load balancer, it’s critical that every hop agrees on how request bodies are framed.
In the affected code path, libsoup accepted HTTP/1 requests with ambiguous body framing:
multiple Content-Length headers (CL.CL)
Transfer-Encoding: chunked together with Content-Length (TE+CL)
Different intermediaries pick different framing rules in these cases. If a front-end and back-end disagree, an attacker can desynchronize the connection and “smuggle” an extra request through the chain. Depending on deployment, this can lead to routing/ACL bypass, cache poisoning, or reaching internal-only endpoints.
In the affected code path, libsoup accepted HTTP/1 requests with ambiguous body framing:
multiple Content-Length headers (CL.CL)
Transfer-Encoding: chunked together with Content-Length (TE+CL)
Different intermediaries pick different framing rules in these cases. If a front-end and back-end disagree, an attacker can desynchronize the connection and “smuggle” an extra request through the chain. Depending on deployment, this can lead to routing/ACL bypass, cache poisoning, or reaching internal-only endpoints.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | libsoup | Not Affected | ||
| Amazon Linux 2023 | libsoup | Not Affected | ||
| Amazon Linux 2023 | libsoup3 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |