CVE-2026-31842 affects Tinyproxy through version 1.11.3 due to improper case-sensitive comparison of the Transfer-Encoding header value in the is_chunked_transfer() function. The function uses strcmp() against "chunked" instead of a case-insensitive comparison as required by RFC 7230. An unauthenticated remote attacker can exploit this by sending a request with 'Transfer-Encoding: Chunked' (capitalized), causing Tinyproxy to treat the request as having no body. This leads Tinyproxy to skip chunked body processing and forward headers upstream while buffering unread body data. Backend servers that correctly implement RFC 7230 continue waiting for the chunked body, causing connections to hang and backend worker exhaustion, resulting in an application-level denial of service. In scenarios where Tinyproxy performs request-body inspection or filtering, the unread body may be forwarded without inspection, potentially bypassing security controls.

The vulnerability allows unauthenticated remote attackers to cause application-level denial of service by exhausting backend server workers due to hanging connections. It also risks bypassing security controls in deployments where Tinyproxy inspects or filters request bodies, as unread body data may be forwarded without inspection. There is no indication of remote code execution or data disclosure from the provided information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider deploying compensating controls such as placing Tinyproxy behind a reverse proxy that correctly handles Transfer-Encoding headers or disabling chunked transfer encoding if feasible. Monitor for unusual connection hangs on backend servers that may indicate exploitation attempts.