Skip to main content

HAProxy CVE-2026-55204

| EUVDEUVD-2026-37906 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-18 VulnCheck GHSA-4vj2-5mvx-3vcc
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable HTTP/2 with no auth or user interaction, but reliably exhausting the memory pool to hit the NULL deref raises attack complexity; impact is availability-only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 17:00 vuln.today
Analysis Generated
Jun 18, 2026 - 17:00 vuln.today

DescriptionCVE.org

HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.

AnalysisAI

Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggering HPACK dynamic table insertions under memory pressure. The flaw lives in hpack_dht_insert() in src/hpack-tbl.c, where the return value of hpack_dht_defrag() is not validated; when the memory pool is exhausted defrag returns NULL and the subsequent dereference crashes the worker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify HTTP/2-enabled HAProxy frontend
Delivery
Open many concurrent h2 connections
Exploit
Flood streams with large HPACK headers
Install
Exhaust HAProxy memory pool
C2
hpack_dht_defrag returns NULL
Execute
Unchecked deref crashes worker
Impact
Repeat to sustain denial of service

Vulnerability AssessmentAI

Exploitation Requires an HAProxy frontend with HTTP/2 enabled (a 'bind' line advertising 'alpn h2' or an explicit 'proto h2'), reachable by the attacker over the network, running a vulnerable build at or before commit 9a6d1fe in src/hpack-tbl.c. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VA:H and VC:N/VI:N accurately characterizes this as a pure network-reachable, unauthenticated availability bug with no confidentiality or integrity impact, yielding the 8.7 high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens many concurrent HTTP/2 connections to an internet-facing HAProxy frontend and sends streams containing large, varied header sets designed to fill and fragment the per-connection HPACK dynamic table. Once HAProxy's memory pool is exhausted, the next call into hpack_dht_insert() reaches hpack_dht_defrag(), which returns NULL; the unchecked dereference crashes the worker process and tears down every connection it was serving, and the attacker simply repeats the pattern against the respawned worker to sustain a denial of service. …
Remediation Upstream fix available (commit 9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513); a released patched version is not independently confirmed in the provided data, so operators should track the next HAProxy point release after 3.4.0 or rebuild from the patched source at https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all HAProxy deployments and identify instances running version 3.4.0 or earlier; assess their criticality and traffic volume. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-5360 HIGH
7.5 Jun 30

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service

CVE-2021-40346 HIGH POC
7.5 Sep 08

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request

CVE-2019-18277 HIGH POC
7.5 Oct 23

A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2019-14241 HIGH POC
7.5 Jul 23

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_

CVE-2023-40225 HIGH POC
7.2 Aug 10

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2

CVE-2019-8953 MEDIUM POC
6.1 Feb 20

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, re

CVE-2019-19330 CRITICAL
9.8 Nov 27

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd

CVE-2023-25725 CRITICAL
9.1 Feb 14

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situatio

CVE-2026-55203 CRITICAL
9.0 Jun 18

FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux r

CVE-2014-6269 MEDIUM POC
5.0 Sep 30

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 a

CVE-2020-11100 HIGH
8.8 Apr 02

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can w

CVE-2023-45539 HIGH
8.2 Nov 28

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive info

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP4 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP5 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP6 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-55204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy