CVE-2026-2332

EUVD-2026-22243

14.04.2026, 12:16

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
  *  https://w4ke.info/2025/06/18/funky-chunks.html

  *  https://w4ke.info/2025/10/29/funky-chunks-2.html


Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.


POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...





Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

HTTP Request/Response Smuggling

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
eclipse	jetty	9.4.0 ≤ 𝑥 < 9.4.60
eclipse	jetty	10.0.0 ≤ 𝑥 < 10.0.28
eclipse	jetty	11.0.0 ≤ 𝑥 < 11.0.28
eclipse	jetty	12.0.0 ≤ 𝑥 < 12.0.33
eclipse	jetty	12.1.0 ≤ 𝑥 < 12.1.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jetty12

forky	12.0.33-1 fixed
sid	12.0.33-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

jetty9

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

openSUSE / SLES Releases

openSUSE Product

Release

jetty-http

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-io

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-security

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-server

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-servlet

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-util

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

jetty-util-ajax

suse enterprise desktop 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise sap 15 SP7	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP4	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP5	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP6	9.4.58-150200.3.40.1 fixed
suse enterprise server 15 SP7	9.4.58-150200.3.40.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

jmc

RHEL 9

0:8.2.0-19.el9_8.2

fixed

Known Exploits!

https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf

Common Weakness Enumeration

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Vulnerability Media Exposure

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf

https://gitlab.eclipse.org/security/cve-assignment/-/issues/89