CVE-2026-55203 HAProxy Integer Overflow in FastCGI Handling

CVE-2026-55203 impacts HAProxy versions up to and including 3.4.0, stemming from an integer overflow within the fcgi_conn structure's drl field. This vulnerability is triggered when HAProxy receives a FastCGI record from a backend where contentLength is precisely 65535 and paddingLength is 1 or more. Under these specific conditions, the drl field wraps to 0, causing HAProxy to misinterpret subsequent data as new FastCGI record headers. This desynchronization of the FCGI framing parser enables malicious FastCGI backends to manipulate HAProxy's internal state, potentially resulting in request routing errors, response smuggling, or various memory safety issues. Organizations utilizing HAProxy as a reverse proxy for FastCGI applications are particularly susceptible, making immediate patching crucial.

Attack Chain

1. An attacker establishes or compromises a FastCGI backend service configured to communicate with a vulnerable HAProxy instance.
2. The malicious FastCGI backend constructs and sends a specially crafted FastCGI record to HAProxy.
3. The crafted FastCGI record includes a contentLength value of 65535 and a paddingLength of 1 or more.
4. HAProxy receives and attempts to process this record, triggering an integer overflow in the fcgi_conn structure's drl field, causing the field to wrap to 0.
5. Due to the drl field's incorrect value, HAProxy misinterprets the subsequent data stream from the backend as new FastCGI record headers.
6. This misinterpretation desynchronizes HAProxy's internal FastCGI framing parser, leading to incorrect consumption of subsequent records.
7. The desynchronization allows the attacker to control HAProxy's processing, potentially leading to request routing errors (e.g., client request routed to wrong backend), response smuggling (e.g., appending arbitrary content to legitimate responses), or various memory safety issues (e.g., crashes, arbitrary code execution).
8. The ultimate objective is achieved, ranging from data manipulation, unauthorized access, to denial of service or remote code execution depending on the specific memory safety issue exploited.

Impact

The successful exploitation of CVE-2026-55203 can lead to severe consequences, with a CVSS v3.1 Base Score of 7.5. Primary impacts include the desynchronization of HAProxy's FastCGI parser, enabling attackers to cause request routing errors, potentially redirecting user traffic to unintended services or malicious content. More critically, it can facilitate response smuggling, where attackers can inject arbitrary data or even entire unauthorized responses into a legitimate client's connection. Furthermore, the underlying integer overflow can lead to various memory safety issues, potentially resulting in HAProxy crashes, denial-of-service, information disclosure, or even remote code execution, undermining the stability and security of the proxy layer.

Recommendation

• Patch CVE-2026-55203 immediately by updating HAProxy to a version beyond 3.4.0 (e.g., 3.4.1 or later containing commit 5985276).
• Deploy the Sigma rule "CVE-2026-55203 - Detect HAProxy FCGI Parsing Errors" to your SIEM to identify internal errors indicative of attempted exploitation.
• Deploy the Sigma rule "CVE-2026-55203 - Detect High Volume of HAProxy 5xx Errors" to monitor for unusual spikes in server-side errors that could signal instability or routing issues caused by exploitation.
• Enable comprehensive logging for HAProxy and its FastCGI backends, including detailed error messages, to facilitate investigation.