CVE-2026-32239 — Integer Overflow or Wraparound in Capnproto

CWE-190 — Integer Overflow or Wraparound CWE-444 — HTTP Request Smuggling CWE-681 — Incorrect Conversion between Numeric Types5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 75.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Capnproto Debian Capnproto

Timeline

PublishedMar 12

Description

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶debiandebian/capnproto< capnproto 1.4.0-2 (forky)

▶NVDcapnproto/capnproto< 1.4.0

▶Debiancapnproto/capnproto< 1.4.0-2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-32239: Cap'n Proto is a data interchange format and capability-based RPC system↗2026-03-12

▶

📋Vendor Advisories

Red Hat

capnproto: Cap'n Proto has an integer overflow in KJ-HTTP↗2026-03-12

▶

Debian

CVE-2026-32239: capnproto - Cap'n Proto is a data interchange format and capability-based RPC system. Prior ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32239 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶