CVE-2026-50052

Primary CVSS: v4.0 2.3 LOW from [email protected]

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green

Problem Types: CWE-444 | CWE-444 CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Solutions

CNA: Update to fix version

Workarounds

CNA: Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it is, it can be disabled * at runtime by issuing vinyladm param.set feature -http2 * persistently by removing -p feature=+http2 from the vinyld startup parameters Note that HTTP/2 typically requires a TLS offloader, which must be changed to no longer send the h2 ALPN. For example with haproxy, in the listen/bind configuration directive, alpn h2,http/1.1 should be replaced with alpn http/1.1.

CNA: In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 . vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be used to remove injected invalid header lines, which are the vehicle required for launching desync attacks exploiting this vulnerability. To the best of our knowledge, the following VCL snippet at the top of the custom VCL adds protection by removing invalid headers: ## BEGIN vsv19 mitigation # import re2; sub vcl_init { new sane = re2.set(anchor=start, case_sensitive=false); # https://httpwg.org/specs/rfc9110.html#rule.token.separators # SLIGHTLY more relaxed, because it allows trailing SP / HTAB sane.add("[-!#$%&'*+.^_`|~a-z0-9]+:[\s\x21-\x7E\x80-\xff]+$"); } sub vcl_recv { sane.hdr_filter(req, true); } # ## END vsv19 mitigation To the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a hdr_filter in allow mode (second argument true), protection is already sufficient unless the empty string is allowed.

CNA: >= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but needs inline-C to be enabled. For Vinyl Cache: * at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c * persistently by adding -p vcc_feature=+allow_inline_c to the vinyld startup parameters For Varnish Cache: * at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c * persistently by adding -p vcc_feature=+allow_inline_c to the varnishd startup parameters Besides enabling inline-C, the following snippet needs to be added at the top of the custom VCL: ## BEGIN vsv19 mitigation # sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; C{ VRT_SetHdr(ctx, &VGC_HDR_REQ_content_2d_length, 0, TOSTRAND(VRT_GetHdr(ctx, &VGC_HDR_REQ_content_2d_length))); }C } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } } # ## END vsv19 mitigation In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL.

CNA: 6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes required. The following snippet needs to be added at the top of the custom VCL: ## BEGIN vsv19 mitigation # sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; set req.http.content-length = req.http.content-length; } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } } # ## END vsv19 mitigation In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL.