CVE-2026-32240 — Numeric Truncation Error in Capnproto

CWE-197 — Numeric Truncation Error CWE-444 — HTTP Request Smuggling CWE-190 — Integer Overflow or Wraparound5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 75.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Capnproto Debian Capnproto

Timeline

PublishedMar 12

Description

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶debiandebian/capnproto< capnproto 1.4.0-2 (forky)

▶NVDcapnproto/capnproto< 1.4.0

▶Debiancapnproto/capnproto< 1.4.0-2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-32240: Cap'n Proto is a data interchange format and capability-based RPC system↗2026-03-12

▶

📋Vendor Advisories

Red Hat

capnproto: Cap'n Proto: Integer overflow in KJ-HTTP chunk size↗2026-03-12

▶

Debian

CVE-2026-32240: capnproto - Cap'n Proto is a data interchange format and capability-based RPC system. Prior ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32240 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶