HAProxy - NULL Pointer Dereference in hpack_dht_insert Function | Advisories

Advisories

HAProxy - NULL Pointer Dereference in hpack_dht_insert Function

severity: high
date: 6/18/2026
Affecting: HAProxy <= 3.4.0, fixed in commit 9a6d1fe
CVE: CVE-2026-55204
CWE: CWE-476 NULL Pointer Dereference
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: Patch Commit
Credit: Tristan Madani (@TristanInSec)
Description: HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo