Description
HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.
Published: 2026-06-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the hpack_dht_insert() function when the memory pool is exhausted, because the return value of hpack_dht_defrag() is not validated. The flaw can be triggered by sending a large number of HPACK dynamic table insertions under memory pressure, causing HAProxy worker processes to crash and resulting in a denial of service. This is a CWE‑476 vulnerability.

Affected Systems

HAProxy versions through 3.4.0 are affected. The vulnerability exists in the src/hpack-tbl.c implementation of the HPACK decoder. An attacker must be able to reach the HAProxy instance to send crafted HTTP/2 traffic.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity. EPSS is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA KEV. The most likely attack vector is remote network traffic exploiting the HTTP/2 protocol; an attacker could send numerous HPACK frames to exhaust memory and trigger the null pointer dereference.

Generated by OpenCVE AI on June 18, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAProxy to a release that includes commit 9a6d1fe or later.
  • If an immediate upgrade is impossible, disable HTTP/2 support or configure a maximum HPACK table size to reduce memory pressure.
  • Monitor HAProxy worker processes for crashes and configure automatic restarts to mitigate denial of service impacts.

Generated by OpenCVE AI on June 18, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8459-1 HAProxy vulnerabilities
History

Fri, 19 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Haproxy haproxy
Vendors & Products Haproxy haproxy

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.
Title HAProxy - NULL Pointer Dereference in hpack_dht_insert Function
First Time appeared Haproxy
Haproxy aloha
Weaknesses CWE-476
CPEs cpe:2.3:a:haproxy:aloha:*:*:*:*:*:*:*:*
Vendors & Products Haproxy
Haproxy aloha
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T17:26:38.498Z

Reserved: 2026-06-16T15:53:37.765Z

Link: CVE-2026-55204

cve-icon Vulnrichment

Updated: 2026-06-18T17:26:31.904Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses