PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40562 Kazeburo CVE debrief

CVE-2026-40562 is a high-severity HTTP request smuggling issue in Gazelle for Perl, affecting versions through 0.49. The flaw is an incorrect header-precedence decision: when both Content-Length and Transfer-Encoding: chunked are present, Gazelle gives Content-Length priority even though RFC 7230 section 3.3.3 requires Transfer-Encoding to take precedence. In deployments that sit behind a front-end reverse proxy, that parsing mismatch can let an attacker smuggle malicious requests past the proxy boundary. The CVE was published on 2026-05-06 and last modified on 2026-05-11; the source corpus also points to Gazelle 0.50 release notes and an upstream patch as the remediation references.

Vendor
Kazeburo
Product
CVE-2026-40562
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-11
Advisory published
2026-05-06
Advisory updated
2026-05-11

Who should care

Operators and maintainers of Gazelle-based services, especially environments where Gazelle is exposed through a reverse proxy or other front-end HTTP intermediary. Security teams responsible for web application gateways, load balancers, and request normalization should also treat this as relevant because the weakness depends on proxy/backend parsing disagreement.

Technical summary

NVD maps this issue to CWE-444 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (7.5). The vulnerable behavior is limited to request parsing when both Content-Length and Transfer-Encoding: chunked appear together. By incorrectly honoring Content-Length first, Gazelle can be desynchronized from a front-end proxy that follows RFC 7230 3.3.3 and prioritizes Transfer-Encoding, creating the conditions for HTTP request smuggling. The supplied CPE criteria mark Gazelle versions before 0.50 as vulnerable, and the corpus includes a 0.50 release-notes reference plus an upstream patch reference.

Defensive priority

High. This is network-reachable, requires no privileges or user interaction, and can impact integrity through request smuggling. Prioritize rapid version assessment and upgrade planning for any Gazelle deployment behind a reverse proxy.

Recommended defensive actions

  • Upgrade Gazelle to 0.50 or later, consistent with the supplied release-notes and CPE version boundary references.
  • Review any deployment that places Gazelle behind a reverse proxy, load balancer, or other HTTP intermediary for request-normalization behavior.
  • Ensure front-end infrastructure rejects or normalizes ambiguous requests that contain both Content-Length and Transfer-Encoding headers.
  • Validate that application and proxy layers follow RFC 7230 section 3.3.3 precedence rules for Transfer-Encoding over Content-Length.
  • Apply the upstream patch reference from the supplied corpus as part of your remediation verification process.
  • Monitor logs for requests containing conflicting body-delimitation headers and investigate any proxy/backend parsing discrepancies.

Evidence notes

All statements are grounded in the supplied NVD source item and its listed references. The corpus explicitly says Gazelle versions through 0.49 are affected, identifies RFC 7230 section 3.3.3 as the precedence rule, and links an upstream patch, Gazelle 0.50 release notes, and an oss-security advisory thread. NVD classifies the weakness as CWE-444 and assigns CVSS 3.1 7.5. No KEV entry or ransomware-campaign linkage is present in the supplied data.

Official resources

Publicly disclosed on 2026-05-06; last modified in the source corpus on 2026-05-11. The supplied timeline should be used for issue dating, not the debrief publication date.