{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32240", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.684Z", "datePublished": "2026-03-12T19:35:57.374Z", "dateUpdated": "2026-03-13T16:14:32.323Z"}, "containers": {"cna": {"title": "Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "problemTypes": [{"descriptions": [{"cweId": "CWE-197", "lang": "en", "description": "CWE-197: Numeric Truncation Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"}, {"name": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "tags": ["x_refsource_MISC"], "url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36"}, {"name": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "tags": ["x_refsource_MISC"], "url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0"}, {"name": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "tags": ["x_refsource_MISC"], "url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz"}, {"name": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "tags": ["x_refsource_MISC"], "url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip"}], "affected": [{"vendor": "capnproto", "product": "capnproto", "versions": [{"version": "< 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:35:57.374Z"}, "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}], "source": {"advisory": "GHSA-vpcq-mx5v-32wm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:14:24.863827Z", "id": "CVE-2026-32240", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:14:32.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32240", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:14:24.863827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:14:28.903Z"}}], "cna": {"title": "Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "source": {"advisory": "GHSA-vpcq-mx5v-32wm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "capnproto", "product": "capnproto", "versions": [{"status": "affected", "version": "< 1.4.0"}]}], "references": [{"url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "name": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "name": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "tags": ["x_refsource_MISC"]}, {"url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "name": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "tags": ["x_refsource_MISC"]}, {"url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "name": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-197", "description": "CWE-197: Numeric Truncation Error"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:35:57.374Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32240", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:14:32.323Z", "dateReserved": "2026-03-11T14:47:05.684Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T19:35:57.374Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}], "id": "CVE-2026-32240", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-12T20:16:05.190", "references": [{"source": "[email protected]", "url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz"}, {"source": "[email protected]", "url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip"}, {"source": "[email protected]", "url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36"}, {"source": "[email protected]", "url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0"}, {"source": "[email protected]", "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-197"}, {"lang": "en", "value": "CWE-444"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "capnproto: Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "id": "2447117", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447117"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in the KJ-HTTP component of Cap\u2019n Proto when processing HTTP messages that use Transfer-Encoding: chunked. If a chunk size is parsed as a value equal to or greater than 2^64, the value may be truncated when converted to a 64-bit integer. An attacker could exploit this behavior by sending specially crafted HTTP messages containing excessively large chunk sizes. This may cause incorrect interpretation of HTTP message boundaries and could theoretically enable HTTP request or response smuggling in applications that rely on the affected HTTP implementation."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2026-32240", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "capnproto", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-03-12T19:35:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32240\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32240\nhttps://capnproto.org/capnproto-c++-1.4.0.tar.gz\nhttps://capnproto.org/capnproto-c++-win32-1.4.0.zip\nhttps://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36\nhttps://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0\nhttps://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"], "statement": "This issue is rated Moderate severity by Red Hat Product Security, because exploitation requires specially crafted malformed HTTP requests containing extremely large chunk size values that exceed normal protocol limits. Such requests are not generated by typical HTTP clients and may be rejected by intermediary infrastructure such as reverse proxies or load balancers before reaching the affected parser. \nAdditionally, meaningful exploitation generally depends on differences in how multiple HTTP components interpret malformed chunked encoding values. Because these conditions require non-standard inputs and specific deployment configurations, the attack complexity is considered High. The potential impact is limited to inconsistencies in HTTP request parsing that could enable limited request smuggling scenarios, without directly causing service crashes or enabling arbitrary code execution.", "threat_severity": "Moderate"}