DEBIAN-CVE-2026-2332
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-2332
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2332.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-2332
- Upstream
- Published
- 2026-04-14T12:16:21.333Z
- Modified
- 2026-05-02T09:00:10.242859Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
- References
Affected packages
Debian:11
jetty9
Package
- Name
- jetty9
- Purl
- pkg:deb/debian/jetty9?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
9.*
9.4.39-3
9.4.39-3+deb11u1
9.4.39-3+deb11u2
9.4.44-1
9.4.44-2
9.4.44-3
9.4.44-4
9.4.45-1
9.4.46-1
9.4.48-1
9.4.49-1
9.4.49-1.1
9.4.50-1~bpo11+1
9.4.50-1
9.4.50-2
9.4.50-3
9.4.50-4
9.4.50-4+deb11u1
9.4.50-4+deb11u2
9.4.51-1
9.4.51-2
9.4.52-1
9.4.53-1
9.4.54-1
9.4.55-1
9.4.56-1
9.4.57-0+deb11u1
9.4.57-0+deb11u2
9.4.57-0+deb11u3
9.4.57-1
9.4.57-1.1~deb12u1
9.4.57-1.1~deb13u1
9.4.57-1.1
9.4.58-1
Debian:12
jetty9
Package
- Name
- jetty9
- Purl
- pkg:deb/debian/jetty9?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected