HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Summary
| CVE | CVE-2026-2332 |
|---|---|
| State | PUBLISHED |
| Assigner | eclipse |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-14 12:16:21 UTC |
| Updated | 2026-07-02 12:17:02 UTC |
| Description | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.000140000 probability, percentile 0.025660000 (date 2026-04-21)
Problem Types: CWE-444 | CWE-444 CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling') | CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf | [email protected] | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:21773 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20568 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17668 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10175 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22453 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-2332 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14272 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| gitlab.eclipse.org/security/cve-assignment/-/issues/89 | [email protected] | gitlab.eclipse.org | Issue Tracking, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2332.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: https://github.com/xclow3n (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-14T12:01:05.768Z | Reported to Red Hat. |
| ADP | 2026-04-14T10:59:10.193Z | Made public. |
Solutions
ADP: RHSA-2026:20568: Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:14272: Red Hat AMQ Broker 7.13.5
ADP: RHSA-2026:22453: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
ADP: RHSA-2026:21773: Red Hat Offline Knowledge Portal 1.2.7
ADP: RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27
ADP: RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14
Workarounds
ADP: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.