CVE-2026-55203

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*

History

26 Jun 2026, 02:47

Type Values Removed Values Added
CPE cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*
References () https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd - () https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd - Patch
References () https://www.vulncheck.com/advisories/haproxy-integer-overflow-in-fcgi-demux-record-length-field - () https://www.vulncheck.com/advisories/haproxy-integer-overflow-in-fcgi-demux-record-length-field - Third Party Advisory
First Time Haproxy
Haproxy haproxy

18 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-18 17:16

Updated : 2026-07-14 22:17


NVD link : CVE-2026-55203

Mitre link : CVE-2026-55203

CVE.ORG link : CVE-2026-55203


JSON object : View

Products Affected

haproxy

  • haproxy
CWE
CWE-190

Integer Overflow or Wraparound