CVE-2026-55204
Received Received - Intake
Heap Overflow in HAProxy Leading to DoS

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: VulnCheck

Description
HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-55204
EUVD
EUVD-2026-37906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
haproxy haproxy to 3.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55204 is a high-severity vulnerability in HAProxy versions up to 3.4.0 involving a null pointer dereference in the hpack_dht_insert() function within src/hpack-tbl.c.

The vulnerability occurs because the function fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. Specifically, under memory pressure, an attacker can trigger HPACK dynamic table insertions that cause hpack_dht_defrag() to return NULL, which is then dereferenced without a proper check.

This leads to a crash of HAProxy worker processes due to a segmentation fault, resulting in a denial of service condition.

Impact Analysis

This vulnerability can cause HAProxy worker processes to crash unexpectedly when exploited, leading to denial of service.

An attacker can exploit this by triggering HPACK dynamic table insertions under memory pressure, causing the service to become unavailable.

  • Service disruption due to HAProxy worker process crashes.
  • Potential downtime or degraded performance of applications relying on HAProxy for load balancing or proxying.
Detection Guidance

This vulnerability involves a NULL pointer dereference in HAProxy versions up to 3.4.0 triggered by HPACK dynamic table insertions under memory pressure, causing worker process crashes and denial of service.

Detection can focus on monitoring HAProxy worker process crashes or segmentation faults (SIGSEGV) related to HPACK table handling.

Suggested commands include checking HAProxy logs for crash reports or segmentation faults and using system tools to monitor HAProxy process stability.

  • Check HAProxy logs for worker crashes: `grep -i 'segfault' /var/log/haproxy.log` or relevant log files.
  • Use systemd journal to find HAProxy crashes: `journalctl -u haproxy | grep -i 'segfault'`.
  • Monitor HAProxy worker processes for unexpected exits or restarts: `ps aux | grep haproxy` and `systemctl status haproxy`.
  • Enable core dumps for HAProxy to analyze crashes: `ulimit -c unlimited` before starting HAProxy.
Mitigation Strategies

The primary mitigation is to upgrade HAProxy to a version that includes the fix from commit 9a6d1fe, which adds a NULL check after the hpack_dht_defrag() call to prevent the NULL pointer dereference.

If upgrading immediately is not possible, consider limiting or controlling HPACK dynamic table insertions or memory pressure on HAProxy to reduce the chance of triggering the vulnerability.

Additionally, monitor HAProxy worker processes for crashes and restart them promptly to maintain service availability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart