{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/haproxy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAProxy 3.4.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","HAProxy","CVE-2026-55204"],"_cs_type":"advisory","_cs_vendors":["HAProxy Technologies"],"content_html":"\u003cp\u003eHAProxy through version 3.4.0 is affected by CVE-2026-55204, a null pointer dereference vulnerability residing in the \u003ccode\u003ehpack_dht_insert()\u003c/code\u003e function within \u003ccode\u003esrc/hpack-tbl.c\u003c/code\u003e. This flaw occurs because the function fails to validate the return value of \u003ccode\u003ehpack_dht_defrag()\u003c/code\u003e when the memory pool is exhausted. An unauthenticated attacker can exploit this by sending specially crafted HTTP/2 requests that trigger excessive HPACK dynamic table insertions. By intentionally inducing memory pressure, the attacker forces \u003ccode\u003ehpack_dht_defrag()\u003c/code\u003e to return a NULL pointer, which \u003ccode\u003ehpack_dht_insert()\u003c/code\u003e then attempts to dereference. This action crashes HAProxy worker processes, leading to a denial of service for all services fronted by the vulnerable HAProxy instance. The vulnerability was fixed in commit \u003ccode\u003e9a6d1fe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious HTTP/2 request\u003c/strong\u003e: An unauthenticated attacker sends specifically designed HTTP/2 requests targeting a vulnerable HAProxy instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest triggers HPACK dynamic table insertions\u003c/strong\u003e: The crafted request's headers are designed to cause numerous HPACK dynamic table insertions within the HAProxy worker process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMemory pressure induced\u003c/strong\u003e: These excessive insertions consume memory, leading to memory pressure on the targeted HAProxy worker process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003ehpack_dht_defrag()\u003c/code\u003e returns NULL\u003c/strong\u003e: Under severe memory exhaustion, the \u003ccode\u003ehpack_dht_defrag()\u003c/code\u003e function, called by \u003ccode\u003ehpack_dht_insert()\u003c/code\u003e, fails to allocate memory and returns a NULL pointer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNull pointer dereference occurs\u003c/strong\u003e: The \u003ccode\u003ehpack_dht_insert()\u003c/code\u003e function proceeds without validating the NULL return value, attempting to dereference this invalid pointer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHAProxy worker process crashes\u003c/strong\u003e: This dereference results in a critical error, causing the targeted HAProxy worker process to unexpectedly terminate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: Repeated exploitation of this vulnerability leads to cascading crashes of HAProxy worker processes, rendering the HAProxy instance unable to process legitimate requests and causing a denial of service for all services it fronts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55204 results in a denial of service for services load-balanced or proxied by the vulnerable HAProxy instance. This can lead to severe business disruption, including website or application unavailability, financial losses due to interrupted services, and reputational damage. While no specific victim counts are detailed, any organization utilizing affected HAProxy versions as a critical infrastructure component is at risk. The impact is primarily on system availability, with no direct impact on confidentiality or integrity unless other systems rely on HAProxy's functionality in a critical security path.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately \u003cstrong\u003epatch\u003c/strong\u003e HAProxy installations by updating to a version containing the fix for CVE-2026-55204, specifically referencing commit \u003ccode\u003e9a6d1fe\u003c/code\u003e or later versions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects HAProxy Process Crashes (CVE-2026-55204 Impact)\u0026quot; to monitor for unexpected \u003ccode\u003ehaproxy\u003c/code\u003e process terminations.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detects High Rate of HAProxy 5xx Errors\u0026quot; to identify unusual spikes in server-side HTTP errors, which may indicate a denial-of-service condition or ongoing exploitation.\u003c/li\u003e\n\u003cli\u003eConfigure HAProxy to limit HTTP/2 header sizes and HPACK dynamic table sizes to reduce the attack surface for memory exhaustion attacks, if applicable to your configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T17:24:14Z","date_published":"2026-06-18T17:24:14Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-55204-haproxy-dos/","summary":"An unauthenticated attacker can exploit CVE-2026-55204, a null pointer dereference vulnerability in HAProxy through version 3.4.0, by triggering excessive HPACK dynamic table insertions under memory pressure, causing HAProxy worker processes to crash and resulting in a denial of service.","title":"CVE-2026-55204: HAProxy Null Pointer Dereference Leads to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-55204-haproxy-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAProxy (through 3.4.0)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","haproxy","fastcgi","integer-overflow","webserver","proxy"],"_cs_type":"advisory","_cs_vendors":["HAProxy"],"content_html":"\u003cp\u003eCVE-2026-55203 impacts HAProxy versions up to and including 3.4.0, stemming from an integer overflow within the \u003ccode\u003efcgi_conn\u003c/code\u003e structure's \u003ccode\u003edrl\u003c/code\u003e field. This vulnerability is triggered when HAProxy receives a FastCGI record from a backend where \u003ccode\u003econtentLength\u003c/code\u003e is precisely 65535 and \u003ccode\u003epaddingLength\u003c/code\u003e is 1 or more. Under these specific conditions, the \u003ccode\u003edrl\u003c/code\u003e field wraps to 0, causing HAProxy to misinterpret subsequent data as new FastCGI record headers. This desynchronization of the FCGI framing parser enables malicious FastCGI backends to manipulate HAProxy's internal state, potentially resulting in request routing errors, response smuggling, or various memory safety issues. Organizations utilizing HAProxy as a reverse proxy for FastCGI applications are particularly susceptible, making immediate patching crucial.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes or compromises a FastCGI backend service configured to communicate with a vulnerable HAProxy instance.\u003c/li\u003e\n\u003cli\u003eThe malicious FastCGI backend constructs and sends a specially crafted FastCGI record to HAProxy.\u003c/li\u003e\n\u003cli\u003eThe crafted FastCGI record includes a \u003ccode\u003econtentLength\u003c/code\u003e value of 65535 and a \u003ccode\u003epaddingLength\u003c/code\u003e of 1 or more.\u003c/li\u003e\n\u003cli\u003eHAProxy receives and attempts to process this record, triggering an integer overflow in the \u003ccode\u003efcgi_conn\u003c/code\u003e structure's \u003ccode\u003edrl\u003c/code\u003e field, causing the field to wrap to 0.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003edrl\u003c/code\u003e field's incorrect value, HAProxy misinterprets the subsequent data stream from the backend as new FastCGI record headers.\u003c/li\u003e\n\u003cli\u003eThis misinterpretation desynchronizes HAProxy's internal FastCGI framing parser, leading to incorrect consumption of subsequent records.\u003c/li\u003e\n\u003cli\u003eThe desynchronization allows the attacker to control HAProxy's processing, potentially leading to request routing errors (e.g., client request routed to wrong backend), response smuggling (e.g., appending arbitrary content to legitimate responses), or various memory safety issues (e.g., crashes, arbitrary code execution).\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is achieved, ranging from data manipulation, unauthorized access, to denial of service or remote code execution depending on the specific memory safety issue exploited.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-55203 can lead to severe consequences, with a CVSS v3.1 Base Score of 7.5. Primary impacts include the desynchronization of HAProxy's FastCGI parser, enabling attackers to cause request routing errors, potentially redirecting user traffic to unintended services or malicious content. More critically, it can facilitate response smuggling, where attackers can inject arbitrary data or even entire unauthorized responses into a legitimate client's connection. Furthermore, the underlying integer overflow can lead to various memory safety issues, potentially resulting in HAProxy crashes, denial-of-service, information disclosure, or even remote code execution, undermining the stability and security of the proxy layer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-55203 immediately by updating HAProxy to a version beyond 3.4.0 (e.g., 3.4.1 or later containing commit 5985276).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;CVE-2026-55203 - Detect HAProxy FCGI Parsing Errors\u0026quot; to your SIEM to identify internal errors indicative of attempted exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;CVE-2026-55203 - Detect High Volume of HAProxy 5xx Errors\u0026quot; to monitor for unusual spikes in server-side errors that could signal instability or routing issues caused by exploitation.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for HAProxy and its FastCGI backends, including detailed error messages, to facilitate investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T17:23:08Z","date_published":"2026-06-18T17:23:08Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-55203-haproxy-integer-overflow/","summary":"An integer overflow vulnerability (CVE-2026-55203) in HAProxy through version 3.4.0 allows malicious FastCGI backends to desynchronize the FCGI framing parser, leading to request routing errors, response smuggling, or memory safety issues.","title":"CVE-2026-55203 HAProxy Integer Overflow in FastCGI Handling","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-55203-haproxy-integer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Haproxy","version":"https://jsonfeed.org/version/1.1"}