CVE-2026-2332

NameCVE-2026-2332
DescriptionIn Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty12 (PTS)trixie (security), trixie12.0.17-3.1~deb13u1vulnerable
forky, sid12.0.33-1fixed
jetty9 (PTS)bullseye9.4.50-4+deb11u2vulnerable
bullseye (security)9.4.57-0+deb11u3vulnerable
bookworm, bookworm (security)9.4.57-1.1~deb12u1vulnerable
trixie (security), trixie9.4.57-1.1~deb13u1vulnerable
forky, sid9.4.58-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jetty12source(unstable)12.0.33-1
jetty9source(unstable)(unfixed)

Notes

https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
Search for package or bug name: Reporting problems