CVE-2026-6324
Description
A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the soup_body_input_stream_read_chunked() function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A signed-to-unsigned conversion error in libsoup's chunked decoding allows HTTP request smuggling, potentially bypassing security controls.
Vulnerability
A flaw exists in libsoup's HTTP/1.1 chunked transfer encoding handling in the soup_body_input_stream_read_chunked() function in libsoup/http1/soup-body-input-stream.c [1][2]. The chunk size parsed via strtoul() returns an unsigned long but is assigned to a goffset (signed 64-bit) without bounds checking [2]. When a chunk size >= 2^63 is provided, the value becomes negative after assignment. The subsequent check if (priv->read_length > 0) treats negative values as end-of-body, transitioning to trailer parsing and marking the stream as done prematurely [2]. This vulnerability affects all libsoup versions prior to the fix [1]. Exploitation requires libsoup to be operating behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server [1][4].
Exploitation
An attacker sends a crafted HTTP request containing a chunked body with a hex chunk size that has the most significant bit set (e.g., "8000000000000001") [2]. The attacker must be able to send HTTP requests to a vulnerable libsoup instance, which is either used as a backend behind a non-libsoup proxy or as a proxy itself [1][4]. No authentication is required; the attacker only needs network access to send the malicious request. The request is forwarded through the non-libsoup proxy (or to the non-libsoup backend), and libsoup reads the chunked body, misinterprets the large chunk size as end-of-body, and then treats any subsequent bytes on the same connection as the start of the next HTTP request, enabling request smuggling [2].
Impact
Successful exploitation allows an attacker to perform HTTP request smuggling, which can lead to web cache poisoning, bypassing security controls, and gaining unauthorized access to resources [1][2]. The attacker can inject arbitrary HTTP requests that are interpreted by the backend or downstream components, potentially compromising data confidentiality, integrity, and availability depending on the deployed architecture [1][4].
Mitigation
As of the publication date, no official patch is available for libsoup [2]. Red Hat has acknowledged the issue and is working on a fix [1]. Users should monitor the libsoup repository for updates and apply the patch as soon as it is released [2]. As a workaround, avoid using libsoup in configurations where it sits behind a non-libsoup proxy or as a proxy in front of a non-libsoup backend [1]. Alternatively, disable HTTP/1.1 chunked transfer encoding at the proxy level if possible [4].
- cve-details
- (CVE-2026-6324) (#YWH-PGM9867-181) HTTP Request Smuggling on libsoup through libsoup/http1/soup-body-input-stream.c:soup_body_input_stream_read_chunked() via Unsigned to Signed Conversion Error in chunk size (#508) · Issues · GNOME / libsoup · GitLab
- HTTP Request Smuggling via Unsigned to Signed Conversion Error
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsigned to signed conversion error in chunk size parsing allows a negative read_length to be treated as end-of-body, enabling HTTP request smuggling."
Attack vector
A remote attacker sends a malicious HTTP request with a chunked Transfer-Encoding body where the chunk-size hex value has the most significant bit set (e.g., `"8000000000000001"`). The unsigned-to-signed conversion error in `soup_body_input_stream_read_chunked()` [ref_id=1] causes libsoup to interpret the chunk as end-of-body. Remaining bytes on the same keep-alive connection are then parsed as the next HTTP request, enabling HTTP request smuggling. This works when libsoup operates behind a non-libsoup proxy or as a proxy in front of a non-libsoup backend.
Affected code
The vulnerability resides in `libsoup/http1/soup-body-input-stream.c` in the function `soup_body_input_stream_read_chunked()`. The chunk size parsed by `strtoul()` (unsigned) is stored into the signed `goffset read_length` field of `SoupBodyInputStreamPrivate`. When the chunk size is ≥ 2^63, the signed value becomes negative, causing the state machine to treat it as end-of-body and transition to TRAILERS/DONE prematurely.
What the fix does
The advisory [ref_id=1] identifies that the root cause is storing the result of `strtoul()` (unsigned) into a signed `goffset` variable. When the chunk size is ≥ 2^63, the signed value becomes negative, and the `if (priv->read_length > 0)` check incorrectly treats it as end-of-body. The fix would need to ensure the chunk size is properly validated as a positive value before assignment, preventing the premature transition to the TRAILERS state. No patch diff is included in the bundle.
Preconditions
- networkThe attacker must be able to send HTTP requests to a libsoup instance that is either behind a non-libsoup proxy or acting as a proxy in front of a non-libsoup backend server.
- configThe connection must use HTTP/1.1 keep-alive so that smuggled bytes are interpreted as a subsequent request.
- inputThe attacker must send a chunked Transfer-Encoding body with a chunk size hex value ≥ 2^63.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.