HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55203Published Modified CNA VulnCheck

CVE-2026-55203: HAProxy - Integer Overflow in FCGI Demux Record Length Field

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.

Metrics

CVSS v4.0
9.0
Severity
CRITICAL
Fixed in
5985276735777634d8c85f1d73bb7764aab0d6dd
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in HAProxy's FastCGI (FCGI) demultiplexer allows a malicious or compromised FastCGI backend to desynchronize HAProxy's FCGI framing parser. The vulnerability is reachable over the network with no authentication required, as described by the CVSS:4.0 vector (AV:N/PR:N). Successful exploitation enables response smuggling, request routing errors, or memory safety violations that compromise the integrity of upstream and downstream traffic. A patched-image rebuild at commit 5985276 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built HAProxy images, in both registry scans and active CI/CD pipeline checks. Any image containing haproxy at or below version 3.4.0 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.0 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to commit 5985276 becomes available on HarborGuard as soon as the fix is confirmed in the upstream source. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable FCGI demux path is exercised over the network; an attacker must be able to control or compromise a FastCGI backend reachable by the HAProxy instance.

  • AuthenticationNot required

    No authentication is required to trigger the vulnerability; the malicious FCGI backend communicates over the existing backend connection without any credential barrier.

  • Victim interactionNot required

    No user or operator action is needed; exploitation occurs through crafted FCGI responses sent passively by the backend.

  • Attack complexityDetail

    The CVSS vector specifies AC:L (low complexity) but also AT:P (attack requirements: present), meaning the exploit is straightforward to craft once the attacker controls a FastCGI backend, though that prerequisite must be satisfied.

Blast Radius

  • An attacker who controls a FastCGI backend can desynchronize HAProxy's FCGI framing parser, causing HAProxy to misroute requests and deliver responses intended for one client to a different client.
  • The integrity of responses transiting HAProxy is compromised at the downstream scope (SI:H), allowing injection or modification of HTTP responses served to end users.
  • The vulnerability carries a low confidentiality impact at the downstream scope (SC:L), meaning partial exposure of response content across connection boundaries is possible.
  • Memory safety issues arising from the integer overflow in the drl field may produce undefined behavior in the HAProxy process, with the potential for further memory corruption under specific heap layouts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-55203 is active and matches any image containing haproxy at or below 3.4.0 against the published advisory, including images built from internal Dockerfiles that bundle HAProxy. A patched-image rebuild targeting commit 5985276 is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding in the dashboard with remediation guidance pointing to the fix commit. Because the attack path requires a malicious or compromised FastCGI backend, customers who cannot immediately rebuild may reduce exposure by enforcing strict network policy controls that limit which backends can open FCGI connections to HAProxy, and by auditing backend trust boundaries until the patched image is deployed.

See how HarborGuard automates this

Fix available

5985276735777634d8c85f1d73bb7764aab0d6dd
Patch commits
Affected packages
  • haproxy / haproxy
    ≤ 3.4.0
    Fixed in 5985276735777634d8c85f1d73bb7764aab0d6dd
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
References