CVE-2026-55203 PUBLISHED

HAProxy - Integer Overflow in FCGI Demux Record Length Field

Assigner: VulnCheck
Reserved: 16.06.2026 Published: 18.06.2026 Updated: 18.06.2026

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
CVSS Score: 9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	haproxy
Product	haproxy
Versions	Default: unaffected affected from 0 to 3.4.0 (incl.) Version 5985276735777634d8c85f1d73bb7764aab0d6dd is unaffected

CVE-2026-55203 PUBLISHED

HAProxy - Integer Overflow in FCGI Demux Record Length Field

Metrics

Product Status

Credits

References

Problem Types