{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32240", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.684Z", "datePublished": "2026-03-12T19:35:57.374Z", "dateUpdated": "2026-03-13T16:14:32.323Z"}, "containers": {"cna": {"title": "Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "problemTypes": [{"descriptions": [{"cweId": "CWE-197", "lang": "en", "description": "CWE-197: Numeric Truncation Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"}, {"name": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "tags": ["x_refsource_MISC"], "url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36"}, {"name": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "tags": ["x_refsource_MISC"], "url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0"}, {"name": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "tags": ["x_refsource_MISC"], "url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz"}, {"name": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "tags": ["x_refsource_MISC"], "url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip"}], "affected": [{"vendor": "capnproto", "product": "capnproto", "versions": [{"version": "< 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:35:57.374Z"}, "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}], "source": {"advisory": "GHSA-vpcq-mx5v-32wm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:14:24.863827Z", "id": "CVE-2026-32240", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:14:32.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32240", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:14:24.863827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:14:28.903Z"}}], "cna": {"title": "Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "source": {"advisory": "GHSA-vpcq-mx5v-32wm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "capnproto", "product": "capnproto", "versions": [{"status": "affected", "version": "< 1.4.0"}]}], "references": [{"url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "name": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "name": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0", "tags": ["x_refsource_MISC"]}, {"url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "name": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz", "tags": ["x_refsource_MISC"]}, {"url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "name": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-197", "description": "CWE-197: Numeric Truncation Error"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:35:57.374Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32240", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:14:32.323Z", "dateReserved": "2026-03-11T14:47:05.684Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T19:35:57.374Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*", "matchCriteriaId": "8055977B-A05F-42A9-8EEF-ED19D74C1319", "versionEndExcluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0."}, {"lang": "es", "value": "Cap'n Proto es un formato de intercambio de datos y un sistema RPC basado en capacidades. Antes de la versi\u00f3n 1.4.0, al usar Transfer-Encoding: chunked, si el tama\u00f1o de un fragmento se analizaba a un valor de 2^64 o superior, se truncaba a un entero de 64 bits. En teor\u00eda, este error podr\u00eda permitir el contrabando de solicitudes/respuestas HTTP. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.4.0."}], "id": "CVE-2026-32240", "lastModified": "2026-03-18T17:01:14.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T20:16:05.190", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://capnproto.org/capnproto-c++-1.4.0.tar.gz"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://capnproto.org/capnproto-c++-win32-1.4.0.zip"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-197"}, {"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "capnproto: Cap'n Proto: Integer overflow in KJ-HTTP chunk size", "id": "2447117", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447117"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in the KJ-HTTP component of Cap\u2019n Proto when processing HTTP messages that use Transfer-Encoding: chunked. If a chunk size is parsed as a value equal to or greater than 2^64, the value may be truncated when converted to a 64-bit integer. An attacker could exploit this behavior by sending specially crafted HTTP messages containing excessively large chunk sizes. This may cause incorrect interpretation of HTTP message boundaries and could theoretically enable HTTP request or response smuggling in applications that rely on the affected HTTP implementation."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2026-32240", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "capnproto", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-03-12T19:35:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32240\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32240\nhttps://capnproto.org/capnproto-c++-1.4.0.tar.gz\nhttps://capnproto.org/capnproto-c++-win32-1.4.0.zip\nhttps://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36\nhttps://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0\nhttps://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm"], "statement": "This issue is rated Moderate severity by Red Hat Product Security, because exploitation requires specially crafted malformed HTTP requests containing extremely large chunk size values that exceed normal protocol limits. Such requests are not generated by typical HTTP clients and may be rejected by intermediary infrastructure such as reverse proxies or load balancers before reaching the affected parser. \nAdditionally, meaningful exploitation generally depends on differences in how multiple HTTP components interpret malformed chunked encoding values. Because these conditions require non-standard inputs and specific deployment configurations, the attack complexity is considered High. The potential impact is limited to inconsistencies in HTTP request parsing that could enable limited request smuggling scenarios, without directly causing service crashes or enabling arbitrary code execution.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "capnproto", "source": "cna", "vendor": "capnproto"}, "product": "capnproto", "vendor": "capnproto"}], "analysis": {"en": {"generated_at": "2026-03-18T19:06:44.223986+00:00", "value": {"mitigation_remediation": ["Upgrade Cap'n Proto to version 1.4.0 or later", "If an upgrade cannot be performed immediately, disable or remove use of Transfer-Encoding: chunked for any paths that use Cap'n Proto", "Verify that the upgrade or configuration change has been applied and that the system is no longer vulnerable"], "summary": {"action": "Apply Patch", "impact": "Potential HTTP Request Smuggling"}, "threat_synthesis": {"affected_systems": "All deployments of Cap'n Proto that use the Transfer\u2011Encoding: chunked mechanism and run a version older than 1.4.0 are affected. The product identifier is capnproto:capnproto. Specific sub\u2011versions are not enumerated, but any build released before the 1.4.0 update is vulnerable.", "description_and_impact": "Cap'n Proto implements a data interchange and RPC system that parses HTTP chunked transfer encoding. An integer overflow occurs when the parsed chunk size equals or exceeds 2^64; the value is truncated to a 64\u2011bit integer. This flaw can be leveraged for HTTP request or response smuggling, a technique that allows an attacker to deliver data that is interpreted differently by a server and a downstream proxy. The weakness is classified as an integer overflow (CWE\u2011190) and unsafe conversion (CWE\u2011197). The potential impact includes denial of service, bypassing of security controls, or information disclosure if the smuggled payload reaches a privileged component.", "risk_and_exploitability": "The CVSS base score is 6.3, indicating a medium severity. The EPSS score is below 1%, suggesting a low likelihood of real\u2011world exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via crafted HTTP traffic that forces the Cap'n Proto library to parse an oversized chunked size. The vulnerability is exploitable when the library processes an HTTP request or response, which typically occurs in a remote context. No additional conditions or privileges are required beyond sending the malformed request."}}}}, "created": "2026-03-13T09:50:03.815898+00:00", "updated": "2026-03-23T09:54:52.597018+00:00", "vendors": ["capnproto", "capnproto$PRODUCT$capnproto"]}