CVE-2026-32239

Summary

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

Affected Software

VendorProductVersion RangeStatus
capnprotocapnproto< 1.4.0affected

Weaknesses

  • CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
  • CWE-190: CWE-190: Integer Overflow or Wraparound

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References