HAProxy Vulnerabilities Expose Reverse-Proxy Servers

Do Son June 23, 2026 2 minutes read

At a glance

Product: haproxy
Vulnerabilities: 2 flaws (CVE-2026-55203, CVE-2026-55204)
Highest severity: 9 (Critical · CVSSv4)
Worst impact: Integer Overflow in FCGI Demux Record Length Field
Status: No confirmed exploitation yet; patches available
Action: Update to 5985276735777634d8c85f1d73bb7764aab0d6dd, 9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513 now

CVE	CVSS (CVSSv4)	Type	Fixed in	Status
CVE-2026-55203	9	Integer Overflow in FCGI Demux Record Length Field	5985276735777634d8c85f1d73bb7764aab0d6dd	Not exploited
CVE-2026-55204	8.7	NULL Pointer Dereference in hpack_dht_insert Function	9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513	Not exploited

TL;DR

Two critical flaws affect the HAProxy software. First, an integer overflow bug allows response smuggling. Second, a null pointer dereference issue causes denial of service.

Why It Matters

Indeed, HAProxy provides high availability and load balancing for TCP and HTTP applications. Many organizations rely on it for reverse-proxy security. Consequently, a memory crash halts worker processes entirely. As a result, this disruption stops all traffic routing. Furthermore, response smuggling lets attackers bypass intended security boundaries. Therefore, malicious backend servers can manipulate the connection state.

How the Attack Works

The first flaw, CVE-2026-55203, involves an integer overflow in the FastCGI module. Specifically, the fcgi_conn structure holds a drl field. When content length hits 65535 and padding exists, this field wraps to zero. Consequently, this misparse tricks the framing parser.

Next, the second bug, CVE-2026-55204, is a null pointer dereference. It occurs within the hpack_dht_insert function. During heavy memory pressure, hpack_dht_defrag fails. Shockingly, the software ignores the return value. This oversight triggers a crash during HPACK dynamic table insertions. Consult the null pointer dereference in hpack dht insert function advisory for details. Currently, no exploitation in the wild or public proof-of-concept has been confirmed.

Affected Versions

These HAProxy vulnerabilities impact all software releases up through version 3.4.0.

Patch or Mitigation Steps

Administrators must apply the latest patches immediately. Fortunately, the developers fixed the integer overflow in commit 5985276. Also, they resolved the null pointer dereference in commit 9a6d1fe. Finally, update your HAProxy deployments to secure your infrastructure.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.