CVE-2026-32240
Received Received - Intake
Integer Overflow in Cap'n Proto Chunked Encoding Enables Request Smuggling

Publication date: 2026-03-12

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32240
EUVD
EUVD-2026-11688
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capnproto capnproto to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CWE-197 Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The CVE-2026-32240 vulnerability is an integer overflow bug in the KJ-HTTP library, a C++ add-on for Cap\'n Proto, affecting versions prior to 1.4.0. It occurs when parsing HTTP chunk sizes under the "Transfer-Encoding: chunked" header: if a chunk size is parsed as a value equal to or exceeding 2^64, it is truncated to fit into a 64-bit integer, causing incorrect handling of chunk sizes.'}, {'type': 'paragraph', 'content': 'This bug could theoretically enable HTTP request/response smuggling attacks if a KJ-HTTP client or server communicates through an HTTP proxy that improperly handles or forwards these malformed chunk sizes without correction.'}, {'type': 'paragraph', 'content': "However, the impact is limited to users directly employing KJ-HTTP; Cap'n Proto itself does not link or use KJ-HTTP, so applications using only Cap'n Proto are unaffected."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'If you use the KJ-HTTP library in versions prior to 1.4.0, this vulnerability could allow an attacker to perform HTTP request/response smuggling attacks by exploiting the incorrect parsing of chunk sizes.'}, {'type': 'paragraph', 'content': 'Such attacks could lead to bypassing security controls, injecting malicious requests, or interfering with normal HTTP traffic processing when communicating through a vulnerable proxy that mishandles these chunk sizes.'}, {'type': 'paragraph', 'content': "Users of Cap'n Proto alone, or environments like the Cloudflare Workers Runtime production environment, are not impacted."}, {'type': 'paragraph', 'content': 'To mitigate the risk, users of KJ-HTTP should update to version 1.4.0 or later where the issue is fixed.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an integer overflow bug in the KJ-HTTP library when parsing HTTP chunk sizes under the "Transfer-Encoding: chunked" header. Detection would require monitoring HTTP traffic for chunk sizes that are malformed or unusually large (β‰₯ 2^64).'}, {'type': 'paragraph', 'content': 'Since the issue is related to HTTP request/response smuggling, network detection could involve inspecting HTTP headers for suspicious chunk sizes or negative Content-Length values forwarded by proxies.'}, {'type': 'paragraph', 'content': 'However, no specific detection commands or tools are provided in the available resources.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the KJ-HTTP library to version 1.4.0 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'Users should ensure that any HTTP proxies in use properly handle or rewrite invalid chunk sizes and Content-Length headers to prevent request/response smuggling.'}, {'type': 'paragraph', 'content': "Since the vulnerability affects only users directly employing KJ-HTTP, applications using only Cap'n Proto without KJ-HTTP are not impacted."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart