Back

Critical Vulnerabilities in Fedora 43: Information Disclosure and Header Smuggling

Severity: Medium (Score: 57.9)

Sources: Linuxsecurity

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: fedora, critical, header, smuggling, cve-2026, prevent, jitka

Severity indicators: critical

Summary

Fedora 43 has reported two critical vulnerabilities affecting libsoup3 and perl-HTTP-Tiny. CVE-2026-5119, published on March 30, 2026, allows information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment. This vulnerability impacts users of libsoup3 in Fedora 43. CVE-2026-7010, published on May 11, 2026, addresses a header smuggling issue in perl-HTTP-Tiny, which can introduce security risks by allowing invalid characters in headers. Both vulnerabilities can be mitigated by applying the latest updates available through the dnf update program. Users are urged to upgrade to the patched versions to secure their systems against potential exploitation. Key Points: • CVE-2026-5119 allows information disclosure via cleartext cookie transmission. • CVE-2026-7010 fixes a header smuggling vulnerability in perl-HTTP-Tiny. • Users are advised to update their systems using the dnf upgrade command.

Detailed Analysis

**Impact** Users of Fedora 43 systems utilizing libsoup3 and perl-HTTP-Tiny libraries are affected. The vulnerabilities expose sensitive information such as cookies transmitted in cleartext to HTTP proxies during HTTPS requests and allow header smuggling attacks. This can lead to information disclosure and potential session hijacking, impacting confidentiality and integrity of web communications. No specific sectors or geographies are detailed in the reports. **Technical Details** CVE-2026-5119 affects libsoup3 (version 3.6.6-3), where cookies are sent in cleartext to HTTP proxies during HTTPS tunnel establishment, enabling information disclosure. CVE-2026-7010 affects perl-HTTP-Tiny (version 0.094-1), allowing header smuggling via invalid characters in HTTP headers. Both vulnerabilities relate to HTTP request handling and occur during the initial stages of network communication. No malware, tools, or IOCs are mentioned. **Recommended Response** Apply the Fedora updates using the "dnf" package manager with advisories FEDORA-2026-37298d309 for libsoup3 and FEDORA-2026-3bfb774625 for perl-HTTP-Tiny immediately. Monitor network traffic for anomalous HTTP header behavior and cleartext cookie transmissions to HTTP proxies. Harden proxy configurations to enforce encryption and validate HTTP headers to mitigate header smuggling risks.

Source articles (2)

  • Fedora 43 libsoup3 Critical Information Disclosure CVE-2026 — Linuxsecurity · 2026-06-04
    * Tue May 19 2026 Luigi Pavan - 3.6.6-3 - Fix CVE-2026-5119: cookies sent in cleartext to HTTP proxy for HTTPS requests * Tue May 19 2026 Luigi Pavan - 3.6.6-3 - Fix CVE-2026-5119: cookies sent in cle…
  • Fedora 43 perl-HTTP-Tiny Critical Header Smuggling Fix CVE-2026 — Linuxsecurity · 2026-06-05
    0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010) * Wed May 20 2026 Jitka Plesnikova - 0.094-1 - 0.094 bump (rhbz#2478249) * Wed May 20 2026 Jitka…

Timeline

  • 2026-03-30 — CVE-2026-5119 published: CVE-2026-5119 disclosed information disclosure via cleartext cookies in libsoup3.
  • 2026-05-11 — CVE-2026-7010 published: CVE-2026-7010 published addressing header smuggling in perl-HTTP-Tiny.
  • 2026-05-19 — CVE-2026-5119 patched: Fedora released an update to fix CVE-2026-5119 in libsoup3.
  • 2026-05-20 — CVE-2026-7010 patched: An update was released for perl-HTTP-Tiny to address CVE-2026-7010.

CVEs

  • CVE-2026-5119
  • CVE-2026-7010

Related entities

  • Data Breach (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Fedora (Company)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed