Cyber Resilience

CVE-2026-55203

CriticalPublic PoCUpdated

Published: 18 June 2026

Published
18 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v4 9.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-55203 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Haproxy Haproxy. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field…

more

wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Integer overflow enables parser desync/response smuggling when HAProxy (public-facing proxy) processes malicious FastCGI backend responses.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

haproxy
haproxy
≤ 3.4.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References