{"cve":{"cve_id":"CVE-2026-55203","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00259,"epss_percentile":0.17,"epss_as_of":"2026-06-23","description":"HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.","published_at":"2026-06-18T16:05:20.100000Z","last_modified_at":null,"cvss_v3_score":7.5,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N","cvss_v3_severity":"HIGH","cvss_v4_score":9.0,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N","cvss_v4_severity":"CRITICAL","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-190"],"nvd_references":["https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd","https://www.vulncheck.com/advisories/haproxy-integer-overflow-in-fcgi-demux-record-length-field"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:30:55.940411Z"},"effective_severity":"CRITICAL","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"H","value_label":"High"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"C","value_label":"Changed"},{"metric":"C","name":"Confidentiality","value":"L","value_label":"Low"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"P","value_label":"Present"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"L","value_label":"Low"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"H","value_label":"High"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"haproxy","vendor_name":"haproxy","product_slug":"haproxy","product_name":"haproxy","version_start":"0","version_start_inclusive":true,"version_end":"3.4.0","version_end_inclusive":true,"cpe23_uri":"cve5:haproxy:haproxy:0:3.4.0"},{"vendor_slug":"haproxy","vendor_name":"haproxy","product_slug":"haproxy","product_name":"haproxy","version_start":"5985276735777634d8c85f1d73bb7764aab0d6dd","version_start_inclusive":true,"version_end":"5985276735777634d8c85f1d73bb7764aab0d6dd","version_end_inclusive":true,"cpe23_uri":"cve5:haproxy:haproxy:5985276735777634d8c85f1d73bb7764aab0d6dd:5985276735777634d8c85f1d73bb7764aab0d6dd"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd","source_type":"PATCH","tags":["patch"]},{"url":"https://www.vulncheck.com/advisories/haproxy-integer-overflow-in-fcgi-demux-record-length-field","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-06-18T16:05:20.100000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:37.240342Z","label":"CVSS score revised","source":"cvelistv5"}]}