CVE-2026-1760 is a medium-severity HTTP request smuggling vulnerability identified in SoupServer, a component included in Red Hat Enterprise Linux 10. The vulnerability stems from inconsistent interpretation and improper handling of HTTP requests that simultaneously use the Transfer-Encoding: chunked and Connection: keep-alive headers. According to RFC 9112, servers must close connections under certain conditions to prevent request smuggling attacks. However, SoupServer fails to close the connection properly, allowing an attacker to send specially crafted HTTP requests that are 'smuggled' through the persistent connection. This enables the attacker to inject additional HTTP requests that the server processes unintentionally. The attack can be performed remotely without authentication or user interaction, exploiting the network-accessible HTTP interface. The primary impact is denial-of-service (DoS), as the server may process unintended requests or become unstable due to connection mismanagement. The vulnerability does not directly compromise confidentiality or integrity but affects availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects these characteristics. No known exploits have been reported in the wild, but the vulnerability requires attention due to the potential for disruption in critical environments. Mitigation involves patching SoupServer when updates are released, monitoring HTTP traffic for anomalous patterns, and applying network-level controls to limit persistent connections and malformed requests. Given the widespread use of Red Hat Enterprise Linux 10 in enterprise and government sectors, this vulnerability poses a moderate risk that must be managed proactively.

The primary impact of CVE-2026-1760 is on the availability of systems running SoupServer on Red Hat Enterprise Linux 10. Attackers can exploit this vulnerability to perform denial-of-service attacks by smuggling additional HTTP requests over persistent connections, potentially causing the server to process unintended requests or become unstable. While confidentiality and integrity are not directly affected, the disruption of service can impact business operations, especially for organizations relying on Red Hat Enterprise Linux 10 for critical infrastructure and web services. The ease of exploitation—requiring no authentication or user interaction—raises the risk of automated attacks or scanning by malicious actors. Organizations with externally facing HTTP services using SoupServer are particularly vulnerable. The vulnerability could also be leveraged as part of a broader attack chain to degrade service availability or bypass security controls that rely on proper HTTP request parsing. The absence of known exploits in the wild currently limits immediate risk, but the medium severity rating and potential for DoS warrant timely mitigation to prevent future exploitation.

1. Monitor Red Hat advisories and apply patches or updates for SoupServer as soon as they become available to address this vulnerability directly. 2. Implement strict HTTP request validation and filtering at the network perimeter using web application firewalls (WAFs) or reverse proxies to detect and block malformed or suspicious HTTP requests combining Transfer-Encoding and Connection headers. 3. Limit the number of persistent HTTP connections and enforce connection timeouts to reduce the window of opportunity for request smuggling attacks. 4. Enable detailed logging and monitoring of HTTP traffic to identify anomalies indicative of request smuggling attempts, such as unexpected request sequences or connection behaviors. 5. Conduct regular security assessments and penetration testing focusing on HTTP request handling to detect similar vulnerabilities proactively. 6. Educate network and security teams about HTTP request smuggling techniques to improve incident detection and response capabilities. 7. Where feasible, segment critical services and restrict external exposure of SoupServer instances to reduce attack surface. 8. Consider deploying updated HTTP server components or alternative solutions if patching is delayed or unavailable.