CVE-2026-55204: HAProxy Null Pointer Dereference Leads to Denial of Service

HAProxy through version 3.4.0 is affected by CVE-2026-55204, a null pointer dereference vulnerability residing in the hpack_dht_insert() function within src/hpack-tbl.c. This flaw occurs because the function fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An unauthenticated attacker can exploit this by sending specially crafted HTTP/2 requests that trigger excessive HPACK dynamic table insertions. By intentionally inducing memory pressure, the attacker forces hpack_dht_defrag() to return a NULL pointer, which hpack_dht_insert() then attempts to dereference. This action crashes HAProxy worker processes, leading to a denial of service for all services fronted by the vulnerable HAProxy instance. The vulnerability was fixed in commit 9a6d1fe.

Attack Chain

1. Attacker crafts malicious HTTP/2 request: An unauthenticated attacker sends specifically designed HTTP/2 requests targeting a vulnerable HAProxy instance.
2. Request triggers HPACK dynamic table insertions: The crafted request's headers are designed to cause numerous HPACK dynamic table insertions within the HAProxy worker process.
3. Memory pressure induced: These excessive insertions consume memory, leading to memory pressure on the targeted HAProxy worker process.
4. hpack_dht_defrag() returns NULL: Under severe memory exhaustion, the hpack_dht_defrag() function, called by hpack_dht_insert(), fails to allocate memory and returns a NULL pointer.
5. Null pointer dereference occurs: The hpack_dht_insert() function proceeds without validating the NULL return value, attempting to dereference this invalid pointer.
6. HAProxy worker process crashes: This dereference results in a critical error, causing the targeted HAProxy worker process to unexpectedly terminate.
7. Denial of Service: Repeated exploitation of this vulnerability leads to cascading crashes of HAProxy worker processes, rendering the HAProxy instance unable to process legitimate requests and causing a denial of service for all services it fronts.

Impact

Successful exploitation of CVE-2026-55204 results in a denial of service for services load-balanced or proxied by the vulnerable HAProxy instance. This can lead to severe business disruption, including website or application unavailability, financial losses due to interrupted services, and reputational damage. While no specific victim counts are detailed, any organization utilizing affected HAProxy versions as a critical infrastructure component is at risk. The impact is primarily on system availability, with no direct impact on confidentiality or integrity unless other systems rely on HAProxy's functionality in a critical security path.

Recommendation

• Immediately patch HAProxy installations by updating to a version containing the fix for CVE-2026-55204, specifically referencing commit 9a6d1fe or later versions.
• Deploy the Sigma rule "Detects HAProxy Process Crashes (CVE-2026-55204 Impact)" to monitor for unexpected haproxy process terminations.
• Implement the Sigma rule "Detects High Rate of HAProxy 5xx Errors" to identify unusual spikes in server-side HTTP errors, which may indicate a denial-of-service condition or ongoing exploitation.
• Configure HAProxy to limit HTTP/2 header sizes and HPACK dynamic table sizes to reduce the attack surface for memory exhaustion attacks, if applicable to your configuration.