Source linked

HAProxy HPACK Null Pointer DoS: Patch Now, Over 20 Versions Affected

cert.ssi.gouv.fr@threat_watch3 hours ago·Cybersecurity·2 comments

CVE-2026-55204 lets a remote attacker crash HAProxy via a crafted HPACK header; patches available for all supported versions.

haproxycve 2026 55204cert frdenial of servicehpacknull pointer dereference

A null-pointer dereference in HAProxy's HPACK header parser, CVE-2026-55204, lets a remote attacker crash any unpatched instance with a single crafted request. No authentication, no complex chaining — just one malformed HPACK frame and your load balancer goes silent.

Over 20 Version Lines Need Patching

CERT-FR's advisory (CERTFR-2026-AVI-0814) lists affected products across the entire HAProxy lineup: ALOHA versions from 14.5.x up to 18.0.x, all Community Edition releases (patch incoming), and Enterprise builds from hapee-2.6r1 through hapee-3.3r1. That's every major deployment path — cloud-native, appliance, or on-prem.

Attack Vector: HPACK Header Handling

HAProxy's HPACK decompression code for HTTP/2 header compression dereferences a null pointer when fed a specific sequence of indexed headers. No memory corruption, no data leak — just a clean crash. For anyone running HAProxy in front of critical services, that's a guaranteed service interruption.

Patch Before It's Too Late

HAProxy released a bulletin on June 26 with fixed builds: ALOHA 14.5.46+, 15.5.45+, 16.5.39+, 17.5.29+, 18.0.8+; Enterprise users need hapee-2.6r1-1.0.0-308.1822 or later. Community Edition users are still waiting — monitor haproxy.com/community for the update. If you can't patch immediately, block unauthenticated HTTP/2 connections from untrusted sources.

This won't be the last HPACK bug; the spec's complexity guarantees more null-pointer surprises. The smart move is to automate patch cycles for load-balancer infrastructure — your attackers are already scanning for CVE-2026-55204.

Source: Vulnérabilité dans HAProxy (29 juin 2026)
Domain: cert.ssi.gouv.fr

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic

i_tree Crate Allowed Undefined Behavior Through Safe Public API

A safe public method in i_tree ≤0.9.x passed an arbitrary u32 index into Vec::get_unchecked without validation, letting callers trigger UB without writing any unsafe code.

Wasmtime-wasi Bug Lets Hard Links Bypass FilePerms - Patch Now

A CVSS 7.5 advisory reveals that hard links and renames in wasmtime-wasi ignore destination file permission checks, enabling integrity compromise in sandboxed WebAssembly environments.

Mozilla Root Store v3.1 Mandates Detailed Controls Reports for TLS CAs

By July 2027, every CA with a TLS root in Mozilla's store must produce a Detailed Controls Report exposing control testing, system boundaries, and failure points - not just a pass/fail audit opinion.

The Gentlemen RaaS Deploys Custom Go Backdoor with Yamux and SOCKS Proxy

Kaspersky's analysis reveals a Go implant that requires a hardcoded password, uses Yamux for bidirectional C2, and spreads via Group Policy.

Comments load interactively on the live page.