CVE-2026-23527
published 2026-01-15CVE-2026-23527: H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.1th percentile
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3 | h3 | < 1.15.5 | 1.15.5 |
| h3 | h3 | >= 0 < 1.15.5 | 1.15.5 |
| h3js | h3 | < 1.15.5 | 1.15.5 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.9HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
h3 v1 has Request Smuggling (TE.TE) issue
ghsa·2026-01-15
CVE-2026-23527 [HIGH] CWE-444 h3 v1 has Request Smuggling (TE.TE) issue
h3 v1 has Request Smuggling (TE.TE) issue
I was digging into h3 v1 (specifically v1.15.4) and found a critical HTTP Request Smuggling vulnerability.
Basically, `readRawBody` is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive.
**The Bug**: If I send a request with Transfer-Encoding: ChuNked (mixed case), h3 misses it. Since it doesn't see "chunked" and there's no Content-Length, it assumes the body is empty and processes the request immediately.
This leaves the actual body sitting on the socket, which triggers a classic TE.TE Desync (Request Smuggling) if the app is running behind a Layer 4 proxy or anything that doesn't normalize headers (like AWS NLB or Node proxies).
**Vu
OSV
h3 v1 has Request Smuggling (TE.TE) issue
osv·2026-01-15
CVE-2026-23527 [HIGH] h3 v1 has Request Smuggling (TE.TE) issue
h3 v1 has Request Smuggling (TE.TE) issue
I was digging into h3 v1 (specifically v1.15.4) and found a critical HTTP Request Smuggling vulnerability.
Basically, `readRawBody` is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive.
**The Bug**: If I send a request with Transfer-Encoding: ChuNked (mixed case), h3 misses it. Since it doesn't see "chunked" and there's no Content-Length, it assumes the body is empty and processes the request immediately.
This leaves the actual body sitting on the socket, which triggers a classic TE.TE Desync (Request Smuggling) if the app is running behind a Layer 4 proxy or anything that doesn't normalize headers (like AWS NLB or Node proxies).
**Vu
Red Hat
h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header
vendor_redhat·2026-01-15·CVSS 8.9
CVE-2026-23527 [HIGH] CWE-444 h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header
h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
A flaw was found in h3, a minimal HTTP (Hypertext Transfer Protocol) framework. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request where the Transfer-Encoding header uses a case variation of "chunked". The readRawBody function performs a strict case-sensitive check for this header, which v
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-23527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-23527 [HIGH] CVE-2026-23527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23527 :
JavaScript vulnerability analysis and mitigation
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Source : NVD
## 9.8
Score
Published January 15, 2026
Severity CRITICAL
CNA Score 8.9
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
h3
Sour
Bugzilla
CVE-2026-23527 h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header [fedora-42]
bugzilla·2026-01-16·CVSS 9.8
CVE-2026-23527 [CRITICAL] CVE-2026-23527 h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header [fedora-42]
CVE-2026-23527 h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a cu
2026-01-15
Published