Impact
A null pointer dereference occurs in the hpack_dht_insert() function when the memory pool is exhausted, because the return value of hpack_dht_defrag() is not validated. The flaw can be triggered by sending a large number of HPACK dynamic table insertions under memory pressure, causing HAProxy worker processes to crash and resulting in a denial of service. This is a CWE‑476 vulnerability.
Affected Systems
HAProxy versions through 3.4.0 are affected. The vulnerability exists in the src/hpack-tbl.c implementation of the HPACK decoder. An attacker must be able to reach the HAProxy instance to send crafted HTTP/2 traffic.
Risk and Exploitability
The CVSS score is 8.7, indicating a high severity. EPSS is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA KEV. The most likely attack vector is remote network traffic exploiting the HTTP/2 protocol; an attacker could send numerous HPACK frames to exhaust memory and trigger the null pointer dereference.
OpenCVE Enrichment
Ubuntu USN