Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32239

CVE-2026-32239: Cap'n Proto HTTP Smuggling Vulnerability

CVE-2026-32239 is an HTTP request smuggling flaw in Cap'n Proto caused by negative Content-Length handling. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published: March 13, 2026

CVE-2026-32239 Overview

Cap'n Proto is a high-performance data interchange format and capability-based RPC system. A vulnerability exists in versions prior to 1.4.0 where a negative Content-Length value in HTTP requests is improperly converted to an unsigned integer, resulting in an impossibly large length value. This integer overflow vulnerability (CWE-190) can potentially enable HTTP request/response smuggling attacks, allowing attackers to bypass security controls and manipulate HTTP traffic.

Critical Impact

This integer overflow vulnerability in Cap'n Proto's HTTP handling could enable HTTP request smuggling attacks, potentially allowing attackers to bypass security controls, poison web caches, or hijack user sessions.

Affected Products

  • Cap'n Proto C++ versions prior to 1.4.0
  • Cap'n Proto C++ Win32 versions prior to 1.4.0
  • Applications using Cap'n Proto's HTTP compatibility layer (kj/compat/http.c++)

Discovery Timeline

  • 2026-03-12 - CVE-2026-32239 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-32239

Vulnerability Analysis

This vulnerability stems from improper handling of the Content-Length HTTP header in Cap'n Proto's HTTP implementation. When a malicious HTTP request contains a negative Content-Length value, the parsing logic converts this signed integer to an unsigned 64-bit integer without proper bounds checking. This conversion causes the negative value to wrap around to an extremely large positive number due to two's complement representation.

The vulnerability exists in the HTTP chunk size parsing code within c++/src/kj/compat/http.c++. The original implementation performed arithmetic operations on the parsed value without validating whether the result would overflow the maximum representable value. An attacker could craft HTTP requests with carefully chosen Content-Length or chunk size values that exploit this integer overflow to desynchronize HTTP message boundaries between front-end proxies and back-end servers.

Root Cause

The root cause is an integer overflow vulnerability (CWE-190) in the HTTP body size parsing logic. The original code accumulated hexadecimal digit values through multiplication and addition operations without checking for overflow conditions. When parsing chunk sizes in chunked transfer encoding, the code multiplied the accumulated value by 16 and added each digit without verifying that these operations would not exceed the maximum safe value for a 64-bit unsigned integer.

Attack Vector

This vulnerability is exploitable over the network and requires an attacker to send specially crafted HTTP requests to a service using Cap'n Proto's HTTP implementation. The attack scenario involves:

  1. An attacker sends an HTTP request with a malformed Content-Length header or chunk size
  2. The negative or overflow-inducing value is parsed and converted to an extremely large unsigned integer
  3. This causes the HTTP parser to misinterpret message boundaries
  4. In a proxy/server configuration, this desynchronization enables request smuggling attacks
  5. The attacker can potentially inject unauthorized requests, bypass access controls, or poison caches
text
// Security patch in c++/src/kj/compat/http.c++ - Fix HTTP body size integer overflow bugs.
 
       uint64_t value = 0;
       for (char c: text) {
+        uint64_t digit;
         if ('0' <= c && c <= '9') {
-          value = value * 16 + (c - '0');
+          digit = c - '0';
         } else if ('a' <= c && c <= 'f') {
-          value = value * 16 + (c - 'a' + 10);
+          digit = c - 'a' + 10;
         } else if ('A' <= c && c <= 'F') {
-          value = value * 16 + (c - 'A' + 10);
+          digit = c - 'A' + 10;
         } else {
           KJ_FAIL_REQUIRE("invalid HTTP chunk size", text, text.asBytes()) { break; }
           return value;
         }
+        KJ_REQUIRE(value <= (uint64_t(kj::maxValue) >> 4),
+            "HTTP chunk size overflow", text, text.asBytes()) { break; }
+        value = value * 16 + digit;
       }

       return value;

Source: GitHub Commit

Detection Methods for CVE-2026-32239

Indicators of Compromise

  • HTTP requests containing negative or abnormally large Content-Length values
  • Malformed chunked transfer encoding with oversized chunk size declarations
  • Unexpected HTTP parsing errors in Cap'n Proto application logs indicating invalid chunk sizes
  • Evidence of HTTP desynchronization between proxy and backend servers

Detection Strategies

  • Monitor HTTP traffic for requests with Content-Length headers containing negative values or values exceeding reasonable thresholds
  • Implement Web Application Firewall (WAF) rules to detect and block HTTP request smuggling patterns
  • Analyze application logs for KJ_FAIL_REQUIRE errors related to "invalid HTTP chunk size" messages
  • Deploy network intrusion detection signatures for HTTP protocol anomalies

Monitoring Recommendations

  • Enable verbose logging for Cap'n Proto HTTP connections to capture parsing failures
  • Implement real-time alerting on HTTP 400-series errors that may indicate smuggling attempts
  • Monitor for discrepancies between front-end proxy logs and backend server logs that could indicate request desynchronization
  • Track and correlate unusual patterns in HTTP request/response timing

How to Mitigate CVE-2026-32239

Immediate Actions Required

  • Upgrade Cap'n Proto C++ to version 1.4.0 or later immediately
  • If immediate patching is not possible, implement WAF rules to validate Content-Length headers
  • Review and audit any public-facing services using Cap'n Proto's HTTP implementation
  • Monitor logs for evidence of exploitation attempts

Patch Information

The vulnerability is fixed in Cap'n Proto version 1.4.0. The patch adds overflow checking to the HTTP chunk size parsing logic by validating that the accumulated value will not exceed the maximum safe value before performing multiplication operations. The fix uses KJ_REQUIRE to validate value <= (uint64_t(kj::maxValue) >> 4) before each multiplication by 16, ensuring that overflow conditions are detected and rejected.

Download the patched version from the official sources:

  • CapnProto C++ Source Archive
  • CapnProto C++ Win32 Archive

For additional details, refer to the GitHub Security Advisory.

Workarounds

  • Deploy a reverse proxy or WAF in front of vulnerable services to validate HTTP headers before they reach Cap'n Proto
  • Implement input validation at the application layer to reject requests with suspicious Content-Length values
  • Consider temporarily disabling chunked transfer encoding if not required for your application
  • Isolate vulnerable services from direct internet exposure until patching is complete
bash
# Configuration example - WAF rule to block suspicious Content-Length values
# Example ModSecurity rule to detect negative or overflow Content-Length
SecRule REQUEST_HEADERS:Content-Length "@lt 0" \
    "id:1001,phase:1,deny,status:400,msg:'Negative Content-Length detected'"

SecRule REQUEST_HEADERS:Content-Length "@gt 2147483647" \
    "id:1002,phase:1,deny,status:400,msg:'Abnormally large Content-Length detected'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechCap'n Proto
  • SeverityMEDIUM
  • CVSS Score6.3
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-190
  • Technical References
  • CapnProto C++ Source Archive
  • CapnProto C++ Win32 Archive
  • GitHub Commit Overview
  • GitHub Commit Overview
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-52793: Esselink.nu Settings CSRF Vulnerability
  • CVE-2025-52772: Virtual Moderator CSRF Vulnerability
  • CVE-2025-48279: WC MyParcel Belgium XSS Vulnerability
  • CVE-2025-39381: KiotViet Sync CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English