{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23527", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.981Z", "datePublished": "2026-01-15T19:24:20.514Z", "dateUpdated": "2026-01-15T20:00:06.302Z"}, "containers": {"cna": {"title": "Request Smuggling (TE.TE) in h3 v1", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"}, {"name": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": "< 1.15.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:24:20.514Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}], "source": {"advisory": "GHSA-mp2g-9vg9-f4cg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:59:57.020909Z", "id": "CVE-2026-23527", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:00:06.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T19:59:57.020909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:59:59.151Z"}}], "cna": {"title": "Request Smuggling (TE.TE) in h3 v1", "source": {"advisory": "GHSA-mp2g-9vg9-f4cg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": "< 1.15.5"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "name": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "name": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:24:20.514Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23527", "state": "PUBLISHED", "dateUpdated": "2026-01-15T20:00:06.302Z", "dateReserved": "2026-01-13T18:22:43.981Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T19:24:20.514Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}], "id": "CVE-2026-23527", "lastModified": "2026-01-16T15:55:12.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-15T20:16:05.620", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097"}, {"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header", "id": "2430110", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430110"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in h3, a minimal HTTP (Hypertext Transfer Protocol) framework. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request where the Transfer-Encoding header uses a case variation of \"chunked\". The readRawBody function performs a strict case-sensitive check for this header, which violates the RFC standard requiring case-insensitivity. This improper parsing can lead to HTTP Request Smuggling, potentially allowing attackers to bypass security controls, poison web caches, or conduct other malicious activities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23527", "public_date": "2026-01-15T19:24:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23527\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23527\nhttps://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097\nhttps://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"], "statement": "This vulnerability is rated Important for Red Hat products as it affects the h3 HTTP framework, which is used in Fedora 42 and 43. A remote attacker can exploit this flaw by sending a specially crafted HTTP request with a case-variant `Transfer-Encoding` header, leading to HTTP Request Smuggling. This can enable attackers to bypass security controls and poison web caches.", "threat_severity": "Important"}