CVE-2026-32240
Integer Overflow in Cap'n Proto Chunked Encoding Enables Request Smuggling
Publication date: 2026-03-12
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| capnproto | capnproto | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
| CWE-197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The CVE-2026-32240 vulnerability is an integer overflow bug in the KJ-HTTP library, a C++ add-on for Cap\'n Proto, affecting versions prior to 1.4.0. It occurs when parsing HTTP chunk sizes under the "Transfer-Encoding: chunked" header: if a chunk size is parsed as a value equal to or exceeding 2^64, it is truncated to fit into a 64-bit integer, causing incorrect handling of chunk sizes.'}, {'type': 'paragraph', 'content': 'This bug could theoretically enable HTTP request/response smuggling attacks if a KJ-HTTP client or server communicates through an HTTP proxy that improperly handles or forwards these malformed chunk sizes without correction.'}, {'type': 'paragraph', 'content': "However, the impact is limited to users directly employing KJ-HTTP; Cap'n Proto itself does not link or use KJ-HTTP, so applications using only Cap'n Proto are unaffected."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If you use the KJ-HTTP library in versions prior to 1.4.0, this vulnerability could allow an attacker to perform HTTP request/response smuggling attacks by exploiting the incorrect parsing of chunk sizes.'}, {'type': 'paragraph', 'content': 'Such attacks could lead to bypassing security controls, injecting malicious requests, or interfering with normal HTTP traffic processing when communicating through a vulnerable proxy that mishandles these chunk sizes.'}, {'type': 'paragraph', 'content': "Users of Cap'n Proto alone, or environments like the Cloudflare Workers Runtime production environment, are not impacted."}, {'type': 'paragraph', 'content': 'To mitigate the risk, users of KJ-HTTP should update to version 1.4.0 or later where the issue is fixed.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an integer overflow bug in the KJ-HTTP library when parsing HTTP chunk sizes under the "Transfer-Encoding: chunked" header. Detection would require monitoring HTTP traffic for chunk sizes that are malformed or unusually large (β₯ 2^64).'}, {'type': 'paragraph', 'content': 'Since the issue is related to HTTP request/response smuggling, network detection could involve inspecting HTTP headers for suspicious chunk sizes or negative Content-Length values forwarded by proxies.'}, {'type': 'paragraph', 'content': 'However, no specific detection commands or tools are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the KJ-HTTP library to version 1.4.0 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'Users should ensure that any HTTP proxies in use properly handle or rewrite invalid chunk sizes and Content-Length headers to prevent request/response smuggling.'}, {'type': 'paragraph', 'content': "Since the vulnerability affects only users directly employing KJ-HTTP, applications using only Cap'n Proto without KJ-HTTP are not impacted."}] [1]