CVE-2026-32239 Overview
Cap'n Proto is a high-performance data interchange format and capability-based RPC system. A vulnerability exists in versions prior to 1.4.0 where a negative Content-Length value in HTTP requests is improperly converted to an unsigned integer, resulting in an impossibly large length value. This integer overflow vulnerability (CWE-190) can potentially enable HTTP request/response smuggling attacks, allowing attackers to bypass security controls and manipulate HTTP traffic.
Critical Impact
This integer overflow vulnerability in Cap'n Proto's HTTP handling could enable HTTP request smuggling attacks, potentially allowing attackers to bypass security controls, poison web caches, or hijack user sessions.
Affected Products
- Cap'n Proto C++ versions prior to 1.4.0
- Cap'n Proto C++ Win32 versions prior to 1.4.0
- Applications using Cap'n Proto's HTTP compatibility layer (kj/compat/http.c++)
Discovery Timeline
- 2026-03-12 - CVE-2026-32239 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32239
Vulnerability Analysis
This vulnerability stems from improper handling of the Content-Length HTTP header in Cap'n Proto's HTTP implementation. When a malicious HTTP request contains a negative Content-Length value, the parsing logic converts this signed integer to an unsigned 64-bit integer without proper bounds checking. This conversion causes the negative value to wrap around to an extremely large positive number due to two's complement representation.
The vulnerability exists in the HTTP chunk size parsing code within c++/src/kj/compat/http.c++. The original implementation performed arithmetic operations on the parsed value without validating whether the result would overflow the maximum representable value. An attacker could craft HTTP requests with carefully chosen Content-Length or chunk size values that exploit this integer overflow to desynchronize HTTP message boundaries between front-end proxies and back-end servers.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the HTTP body size parsing logic. The original code accumulated hexadecimal digit values through multiplication and addition operations without checking for overflow conditions. When parsing chunk sizes in chunked transfer encoding, the code multiplied the accumulated value by 16 and added each digit without verifying that these operations would not exceed the maximum safe value for a 64-bit unsigned integer.
Attack Vector
This vulnerability is exploitable over the network and requires an attacker to send specially crafted HTTP requests to a service using Cap'n Proto's HTTP implementation. The attack scenario involves:
- An attacker sends an HTTP request with a malformed Content-Length header or chunk size
- The negative or overflow-inducing value is parsed and converted to an extremely large unsigned integer
- This causes the HTTP parser to misinterpret message boundaries
- In a proxy/server configuration, this desynchronization enables request smuggling attacks
- The attacker can potentially inject unauthorized requests, bypass access controls, or poison caches
// Security patch in c++/src/kj/compat/http.c++ - Fix HTTP body size integer overflow bugs.
uint64_t value = 0;
for (char c: text) {
+ uint64_t digit;
if ('0' <= c && c <= '9') {
- value = value * 16 + (c - '0');
+ digit = c - '0';
} else if ('a' <= c && c <= 'f') {
- value = value * 16 + (c - 'a' + 10);
+ digit = c - 'a' + 10;
} else if ('A' <= c && c <= 'F') {
- value = value * 16 + (c - 'A' + 10);
+ digit = c - 'A' + 10;
} else {
KJ_FAIL_REQUIRE("invalid HTTP chunk size", text, text.asBytes()) { break; }
return value;
}
+ KJ_REQUIRE(value <= (uint64_t(kj::maxValue) >> 4),
+ "HTTP chunk size overflow", text, text.asBytes()) { break; }
+ value = value * 16 + digit;
}
return value;
Source: GitHub Commit
Detection Methods for CVE-2026-32239
Indicators of Compromise
- HTTP requests containing negative or abnormally large Content-Length values
- Malformed chunked transfer encoding with oversized chunk size declarations
- Unexpected HTTP parsing errors in Cap'n Proto application logs indicating invalid chunk sizes
- Evidence of HTTP desynchronization between proxy and backend servers
Detection Strategies
- Monitor HTTP traffic for requests with Content-Length headers containing negative values or values exceeding reasonable thresholds
- Implement Web Application Firewall (WAF) rules to detect and block HTTP request smuggling patterns
- Analyze application logs for KJ_FAIL_REQUIRE errors related to "invalid HTTP chunk size" messages
- Deploy network intrusion detection signatures for HTTP protocol anomalies
Monitoring Recommendations
- Enable verbose logging for Cap'n Proto HTTP connections to capture parsing failures
- Implement real-time alerting on HTTP 400-series errors that may indicate smuggling attempts
- Monitor for discrepancies between front-end proxy logs and backend server logs that could indicate request desynchronization
- Track and correlate unusual patterns in HTTP request/response timing
How to Mitigate CVE-2026-32239
Immediate Actions Required
- Upgrade Cap'n Proto C++ to version 1.4.0 or later immediately
- If immediate patching is not possible, implement WAF rules to validate Content-Length headers
- Review and audit any public-facing services using Cap'n Proto's HTTP implementation
- Monitor logs for evidence of exploitation attempts
Patch Information
The vulnerability is fixed in Cap'n Proto version 1.4.0. The patch adds overflow checking to the HTTP chunk size parsing logic by validating that the accumulated value will not exceed the maximum safe value before performing multiplication operations. The fix uses KJ_REQUIRE to validate value <= (uint64_t(kj::maxValue) >> 4) before each multiplication by 16, ensuring that overflow conditions are detected and rejected.
Download the patched version from the official sources:
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF in front of vulnerable services to validate HTTP headers before they reach Cap'n Proto
- Implement input validation at the application layer to reject requests with suspicious Content-Length values
- Consider temporarily disabling chunked transfer encoding if not required for your application
- Isolate vulnerable services from direct internet exposure until patching is complete
# Configuration example - WAF rule to block suspicious Content-Length values
# Example ModSecurity rule to detect negative or overflow Content-Length
SecRule REQUEST_HEADERS:Content-Length "@lt 0" \
"id:1001,phase:1,deny,status:400,msg:'Negative Content-Length detected'"
SecRule REQUEST_HEADERS:Content-Length "@gt 2147483647" \
"id:1002,phase:1,deny,status:400,msg:'Abnormally large Content-Length detected'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
