High severity7.4NVD Advisory· Published Apr 14, 2026· Updated May 1, 2026
CVE-2026-2332
CVE-2026-2332
Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html
- https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked
1;ext="val X 0
GET /smuggled HTTP/1.1 ...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-httpMaven | >= 12.1.0, < 12.1.7 | 12.1.7 |
org.eclipse.jetty:jetty-httpMaven | >= 12.0.0, < 12.0.33 | 12.0.33 |
org.eclipse.jetty:jetty-httpMaven | >= 11.0.0, <= 11.0.27 | — |
org.eclipse.jetty:jetty-httpMaven | >= 10.0.0, <= 10.0.27 | — |
org.eclipse.jetty:jetty-httpMaven | >= 9.4.0, <= 9.4.59 | — |
Affected products
57- osv-coords55 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/apache-jena-fusekipkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.2pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.2pkg:apk/chainguard/clojure-toolspkg:apk/chainguard/cloudwatch-exporterpkg:apk/chainguard/jenkins-2.555pkg:apk/chainguard/jenkins-2.555-openjdk-21pkg:apk/chainguard/jenkins-2.555-openjdk-25pkg:apk/chainguard/jenkins-2-openjdk-21pkg:apk/chainguard/jenkins-2-openjdk-25pkg:apk/chainguard/kafka-4.1pkg:apk/chainguard/kafka-4.2pkg:apk/chainguard/kafka-fips-4.1pkg:apk/chainguard/kafka-fips-4.2pkg:apk/chainguard/neo4j-5.26pkg:apk/chainguard/solr-10pkg:apk/chainguard/spark-kubernetes-operatorpkg:apk/chainguard/spark-kubernetes-operator-fipspkg:apk/chainguard/strimzi-kafka-operator-cluster-operatorpkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-thirdparty-libs-ccpkg:apk/chainguard/strimzi-kafka-operator-kafka-agentpkg:apk/chainguard/strimzi-kafka-operator-kafka-initpkg:apk/chainguard/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/chainguard/strimzi-kafka-operator-topic-operatorpkg:apk/chainguard/strimzi-kafka-operator-tracing-agentpkg:apk/chainguard/strimzi-kafka-operator-user-operatorpkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/wso2ispkg:apk/wolfi/akhqpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/apache-pulsar-4.2pkg:apk/wolfi/cloudwatch-exporterpkg:apk/wolfi/jenkins-2-openjdk-21pkg:apk/wolfi/jenkins-2-openjdk-25pkg:apk/wolfi/kafka-4.1pkg:apk/wolfi/kafka-4.2pkg:apk/wolfi/neo4j-5.26pkg:apk/wolfi/solr-10pkg:apk/wolfi/strimzi-kafka-operator-cluster-operatorpkg:apk/wolfi/strimzi-kafka-operator-kafka-agentpkg:apk/wolfi/strimzi-kafka-operator-kafka-initpkg:apk/wolfi/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/wolfi/strimzi-kafka-operator-topic-operatorpkg:apk/wolfi/strimzi-kafka-operator-tracing-agentpkg:apk/wolfi/strimzi-kafka-operator-user-operatorpkg:apk/wolfi/trino-plugin-rangerpkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Tumbleweed
< 0.27.0-r2+ 54 more
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 2.18.0-r0
- (no CPE)range: < 2.18.0-r0
- (no CPE)range: < 6.0.0-r5
- (no CPE)range: < 2.9.0-r0
- (no CPE)range: < 2.9.0-r0
- (no CPE)range: < 4.0.10-r0
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 4.0.10-r0
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 1.12.5.1654-r0
- (no CPE)range: < 0.17.0-r0
- (no CPE)range: < 2.555.2-r3
- (no CPE)range: < 2.555.2-r3
- (no CPE)range: < 2.555.2-r3
- (no CPE)range: < 2.560-r0
- (no CPE)range: < 2.560-r0
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.0-r5
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 5.26.25-r1
- (no CPE)range: < 10.0.0-r1
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r1
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 482-r1
- (no CPE)range: < 7.3.0-r0
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 2.9.0-r0
- (no CPE)range: < 2.9.0-r0
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 0.17.0-r0
- (no CPE)range: < 2.560-r0
- (no CPE)range: < 2.560-r0
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.0-r5
- (no CPE)range: < 5.26.25-r1
- (no CPE)range: < 10.0.0-r1
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 482-r1
- (no CPE)range: < 9.4.58-4.1
Patches
Vulnerability mechanics
References
5- github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwfnvdExploitVendor AdvisoryMitigationWEB
- github.com/advisories/GHSA-355h-qmc2-wpwfghsaADVISORY
- gitlab.eclipse.org/security/cve-assignment/-/issues/89nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2332ghsaADVISORY
- w4ke.info/2025/06/18/funky-chunks.htmlghsaWEB
News mentions
1- ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and MoreThe Hacker News · Jun 1, 2026