Skip to main content

HAProxy EUVDEUVD-2026-37905

| CVE-2026-55203 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-06-18 VulnCheck GHSA-58mj-cmhg-35rg
Critical
Disputed · 9.0 Vendor: VulnCheck
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (VulnCheck) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable but requires a malicious FCGI backend (AC:H); no client auth (PR:N); framing desync crosses to other requests (S:C) with high integrity impact and limited confidentiality/availability fallout.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:N
SUSE
5.6 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 17:00 vuln.today
Analysis Generated
Jun 18, 2026 - 17:00 vuln.today

DescriptionCVE.org

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.

AnalysisAI

FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of FCGI backend behind HAProxy
Delivery
Send response with contentLength 65535 and paddingLength >=1
Exploit
drl uint16_t wraps to 0 in fcgi_conn
Execution
HAProxy realigns onto attacker bytes as new FCGI header
Persist
Smuggled response routed to neighboring request
Impact
Cross-request response smuggling or memory corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires HAProxy to be deployed with at least one FastCGI backend (use_backend / server proto fcgi) and for the attacker to control or compromise that FastCGI application server so it can emit a response record with contentLength == 65535 and paddingLength >= 1; client-side authentication is not required (PR:N) but the AT:P attack requirement - a malicious FCGI backend - is the gating condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N) yields 9.0 and emphasizes high integrity impact on both the vulnerable system and a subsequent system, which fits a smuggling/desync primitive that pollutes traffic across requests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised, or operates, a FastCGI application server behind a shared HAProxy instance crafts FCGI records with contentLength 65535 and paddingLength >= 1 so that HAProxy's drl wraps to zero mid-record. HAProxy then realigns onto attacker-chosen bytes inside the padding/body, treating them as a new FCGI record header and routing the smuggled response to the next victim request that happens to share the connection or session. …
Remediation Upstream fix available (commit 5985276); a released patched version is not independently confirmed in the supplied data, so operators should upgrade to the first HAProxy release that includes commit 5985276735777634d8c85f1d73bb7764aab0d6dd or backport that one-line widening of fcgi_conn.drl from uint16_t to uint32_t into their build, tracking the vendor advisory at https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd and the VulnCheck writeup at https://www.vulncheck.com/advisories/haproxy-integer-overflow-in-fcgi-demux-record-length-field. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify HAProxy deployments with FastCGI backends and restrict backend server access if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-5360 HIGH
7.5 Jun 30

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service

CVE-2021-40346 HIGH POC
7.5 Sep 08

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request

CVE-2019-18277 HIGH POC
7.5 Oct 23

A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2019-14241 HIGH POC
7.5 Jul 23

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_

CVE-2023-40225 HIGH POC
7.2 Aug 10

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2

CVE-2019-8953 MEDIUM POC
6.1 Feb 20

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, re

CVE-2019-19330 CRITICAL
9.8 Nov 27

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd

CVE-2023-25725 CRITICAL
9.1 Feb 14

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situatio

CVE-2014-6269 MEDIUM POC
5.0 Sep 30

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 a

CVE-2020-11100 HIGH
8.8 Apr 02

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can w

CVE-2026-55204 HIGH
8.7 Jun 18

Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggeri

CVE-2023-45539 HIGH
8.2 Nov 28

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive info

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP4 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP5 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP6 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

EUVD-2026-37905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy