Description
HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
Published: 2026-06-18
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HAProxy versions up to 3.4.0 contain an integer overflow in the fcgi_conn structure’s drl field. When a FastCGI backend sends a content length of 65535 and a padding length of one or more, the drl value wraps to zero, which causes the framing parser to misread subsequent record headers. This can lead to request routing errors, response smuggling, or memory safety problems, and the weakness is a classic integer overflow (CWE‑190).

Affected Systems

The vulnerability affects the HAProxy software defined by the vendor haproxy:haproxy, specifically releases up to and including version 3.4.0. No newer releases are listed as affected.

Risk and Exploitability

The CVSS score of 9 indicates critical severity, and the EPSS score is not available. The flaw is not yet listed in the CISA KEV catalog. Exploitation requires a malicious FastCGI backend capable of crafting the specific payload that triggers the drl wrap; the attack vector is internal between HAProxy and its FastCGI backends, so it is not externally triggered but can be leveraged by compromised or malicious backend services.

Generated by OpenCVE AI on June 18, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAProxy to a version that includes the fix committed as 5985276
  • If an immediate upgrade is not possible, disable or segregate FastCGI backends that are not essential, and restrict them only to trusted hosts
  • Monitor HAProxy logs for framing errors, routing anomalies, or signs of memory corruption to detect any ongoing exploitation attempts

Generated by OpenCVE AI on June 18, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8459-1 HAProxy vulnerabilities
History

Tue, 23 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
Title HAProxy - Integer Overflow in FCGI Demux Record Length Field
First Time appeared Haproxy
Haproxy aloha
Weaknesses CWE-190
CPEs cpe:2.3:a:haproxy:aloha:*:*:*:*:*:*:*:*
Vendors & Products Haproxy
Haproxy aloha
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N'}

cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:04:44.933Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55203

cve-icon Vulnrichment

Updated: 2026-06-23T02:04:40.425Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:00:12Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound