Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

Mageia HAProxy Critical Buffer Overflow Denial of Service 2026-0250

mageia
Calendar Grey July 13, 2026
Dist Mageia Esm H88
Critical Mageia advisory for HAProxy fix addressing buffer overflow and null pointer dereference vulnerabilities.
Security update

Summary

Description: HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues. (CVE-2026-55203) HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service. (CVE-2026-55204)

References

- https://bugs.mageia.org/show_bug.cgi?id=35748

- https://www.cve.org/CVERecord?id=CVE-2026-55203

- https://www.cve.org/CVERecord?id=CVE-2026-55204

Resolution

SRPMS

- 10/core/haproxy-3.4.2-1.2.mga10

- 9/core/haproxy-2.8.26-1.mga9

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 14 Jul 2026 
URL: https://advisories.mageia.org/MGASA-2026-0250.html
Type: security
CVE: CVE-2026-55203, CVE-2026-55204

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.