Bug 2458187 (CVE-2026-2332)

Summary: CVE-2026-2332 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, anthomas, aprice, aschwart, asoldano, aszczucz, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, caswilli, ccranfor, chfoley, crizzo, csutherl, dbruscin, dfreiber, dhanak, dlofthou, drichtar, drosa, drow, dsoumis, ehelms, ewittman, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jburrell, jclere, jnethert, jpechane, jraez, jrokos, jsamir, juwatts, kaycoth, kgaikwad, kvanderr, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, oezr, osousa, pantinor, parichar, pberan, pcreech, pdelbell, pesilva, pjindal, plodge, pmackay, rchan, rexwhite, rgodfrey, rhel-process-autobot, rkubis, rmartinc, rmaucher, rstancel, rstepani, sausingh, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, szappis, tasato, tcunning, thjenkin, tmalecek, vdosoudi, vkumar, vmuzikar, watson-tool-maintainers, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2458713    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-14 12:01:29 UTC 
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
  *  https://w4ke.info/2025/06/18/funky-chunks.html

  *  https://w4ke.info/2025/10/29/funky-chunks-2.html


Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.


POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...





Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Comment 3 errata-xmlrpc 2026-05-14 16:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14

Via RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668