CVE-2026-2332

CRITICAL EPSS 40.4%
Published Apr 14, 20262mo ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Apr 14, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
40.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-444

Affected Products 5

VendorProductVersionRange
eclipsejetty*≥9.4.0  –  <9.4.60
eclipsejetty*≥10.0.0  –  <10.0.28
eclipsejetty*≥11.0.0  –  <11.0.28
eclipsejetty*≥12.0.0  –  <12.0.33
eclipsejetty*≥12.1.0  –  <12.1.7

References 2

  • github.com https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
    ExploitMitigationVendor Advisory
  • gitlab.eclipse.org https://gitlab.eclipse.org/security/cve-assignment/-/issues/89
    Issue TrackingVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.