CVE-2026-2332

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf	Exploit Mitigation Vendor Advisory
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89	Issue Tracking Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:14272
https://access.redhat.com/errata/RHSA-2026:17668
https://access.redhat.com/errata/RHSA-2026:20568
https://access.redhat.com/errata/RHSA-2026:21773
https://access.redhat.com/errata/RHSA-2026:22453
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/security/cve/CVE-2026-2332
https://bugzilla.redhat.com/show_bug.cgi?id=2458187
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2332.json

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::

History

30 Jun 2026, 03:18

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:10175 - () https://access.redhat.com/errata/RHSA-2026:14272 - () https://access.redhat.com/errata/RHSA-2026:17668 - () https://access.redhat.com/errata/RHSA-2026:20568 - () https://access.redhat.com/errata/RHSA-2026:21773 - () https://access.redhat.com/errata/RHSA-2026:22453 - () https://access.redhat.com/errata/RHSA-2026:25089 - () https://access.redhat.com/security/cve/CVE-2026-2332 - () https://bugzilla.redhat.com/show_bug.cgi?id=2458187 - () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2332.json -

17 Jun 2026, 10:30

Type	Values Removed	Values Added
References	~~() https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf - Exploit, Vendor Advisory, Mitigation~~	() https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf - Exploit, Mitigation, Vendor Advisory

01 May 2026, 13:31

Type	Values Removed	Values Added
CPE		cpe:2.3:a:eclipse:jetty::::::::
First Time		Eclipse jetty Eclipse
References	~~() https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf -~~	() https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf - Exploit, Vendor Advisory, Mitigation
References	~~() https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 -~~	() https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 - Issue Tracking, Vendor Advisory

14 Apr 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-14 12:16

Updated : 2026-06-30 03:18

NVD link : CVE-2026-2332

Mitre link : CVE-2026-2332

CVE.ORG link : CVE-2026-2332

JSON object : View

Products Affected

eclipse

jetty

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

7.4 /10