CVE-2026-1536 is a vulnerability identified in libsoup, a GNOME HTTP client/server library used in Red Hat Enterprise Linux 10. The flaw arises from improper neutralization of CRLF sequences in the Content-Disposition HTTP header. Specifically, an attacker who can influence the Content-Disposition header value can inject CR (Carriage Return) and LF (Line Feed) characters directly into the HTTP headers. When the HTTP request or response is constructed, these injected sequences are interpreted verbatim, allowing the attacker to inject arbitrary HTTP headers or split the HTTP response. This can lead to HTTP header injection or HTTP response splitting attacks. Such attacks can be exploited to manipulate how HTTP responses are processed by clients or intermediaries, potentially enabling cache poisoning, cross-site scripting (XSS), session fixation, or other malicious activities. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with integrity impact but no confidentiality or availability impact. No known exploits have been reported in the wild yet. The vulnerability affects Red Hat Enterprise Linux 10 systems using the vulnerable libsoup library, which is commonly employed in HTTP client and server applications within this environment.

The primary impact of CVE-2026-1536 is the potential for attackers to manipulate HTTP headers and responses on vulnerable Red Hat Enterprise Linux 10 systems. This can undermine the integrity of HTTP communications, enabling attacks such as HTTP response splitting and header injection. Consequences include cache poisoning, where malicious content is cached by intermediaries; cross-site scripting (XSS), where attackers inject scripts into web pages viewed by other users; session fixation, allowing attackers to hijack user sessions; and other web-based attacks that rely on manipulating HTTP responses. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by unauthenticated attackers, increasing the risk of widespread exploitation. Organizations running web services or applications that rely on libsoup on RHEL 10 are particularly at risk. While confidentiality and availability impacts are not directly affected, the integrity of HTTP responses is compromised, which can lead to significant security breaches and trust erosion. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

To mitigate CVE-2026-1536, organizations should prioritize applying official patches or updates from Red Hat as soon as they become available for Red Hat Enterprise Linux 10 and the libsoup library. In the interim, administrators should audit and restrict inputs that influence the Content-Disposition header to ensure they do not contain CRLF sequences or other control characters. Implement strict input validation and sanitization on all user-controllable HTTP header values. Employ web application firewalls (WAFs) capable of detecting and blocking HTTP header injection and response splitting attempts. Monitor HTTP traffic for anomalous headers or unexpected response behaviors indicative of exploitation attempts. Additionally, review and harden HTTP server and proxy configurations to limit the impact of injected headers, such as disabling or restricting header forwarding where possible. Educate developers and system administrators about the risks of CRLF injection and encourage secure coding practices that properly encode or reject unsafe header inputs. Finally, maintain up-to-date inventories of affected systems and ensure timely vulnerability scanning to detect vulnerable libsoup versions.