CVE-2026-55203

NameCVE-2026-55203
DescriptionHAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140430

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)bullseye2.2.9-2+deb11u6vulnerable
bullseye (security)2.2.9-2+deb11u7vulnerable
bookworm, bookworm (security)2.6.12-1+deb12u3vulnerable
trixie3.0.11-1+deb13u2vulnerable
trixie (security)3.0.11-1+deb13u3vulnerable
forky, sid3.2.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourceexperimental3.4.1-1
haproxysource(unstable)3.2.20-11140430

Notes

[trixie] - haproxy <no-dsa> (Minor issue)
https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd

Search for package or bug name: Reporting problems