CVE-2026-2332

HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

INFO

Published Date :

2026-04-14T10:59:10.193Z

Last Modified :

2026-04-15T03:58:12.322Z

Source :

eclipse

AFFECTED PRODUCTS

The following products are affected by CVE-2026-2332 vulnerability.

Vendors	Products
Eclipse	Jetty

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2332.

URL	Resource
https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89
https://nvd.nist.gov/vuln/detail/CVE-2026-2332
https://www.cve.org/CVERecord?id=CVE-2026-2332

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact