GHSA-58mj-cmhg-35rg · Severity: critical — HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the...
HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
Conclusion & alert: CVE-2026-55203 is rated Moderate Risk (42/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.26%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-23 | — | 0.26% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.0 | 4.0 | CRITICAL |
|
— | — | [email protected] |
| 7.5 | 3.1 | HIGH |
|
2.2 | 4.7 | [email protected] |
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
GHSA-58mj-cmhg-35rg · Severity: critical — HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-55203 not yet assigned priority: Debian including 1 source packages (haproxy), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-55203 |
suse
|
high | CVE-2026-55203 severity important: SUSE including 1 source package names (haproxy), 2 product×package rows across 2 product lines (SUSE Linux Enterprise High Availability Extension 12 SP5, SUSE Linux Enterprise Server for SAP Applications 12 SP5): Known Not Affected 2. | https://www.suse.com/security/cve/CVE-2026-55203/ |
ubuntu
|
medium | CVE-2026-55203 medium priority: Ubuntu including 1 source packages (haproxy), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, resolute, upstream, xenial): needs-triage 4, released 4. | https://ubuntu.com/security/CVE-2026-55203 |