VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 18, 2026· Updated Jun 18, 2026

HAProxy - NULL Pointer Dereference in hpack_dht_insert Function

CVE-2026-55204

Description

HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing NULL check on the return value of hpack_dht_defrag() in hpack_dht_insert() allows a NULL pointer dereference when the memory pool is exhausted."

Attack vector

An attacker can trigger HPACK dynamic table insertions under memory pressure, causing `pool_head_hpack_tbl` to be exhausted. When `hpack_dht_alloc()` returns NULL, `hpack_dht_defrag()` propagates it, and the missing NULL check at line 353 leads to dereferencing NULL+0x0a (offsetof wrap), crashing the HAProxy worker process with SIGSEGV. This results in a denial of service. [patch_id=6590940]

Affected code

The vulnerability is in `hpack_dht_insert()` within `src/hpack-tbl.c`. The third call site for `hpack_dht_defrag()` (line 353, data-space defrag path) assigns the return value to `dht` and immediately dereferences it without a NULL check, unlike the two other call sites (lines 293 and 306) which correctly check for NULL.

What the fix does

The patch adds a NULL check after the `hpack_dht_defrag()` call on the data-space defrag path, consistent with the two other call sites. If `hpack_dht_defrag()` returns NULL (indicating memory exhaustion), the function now returns -1 immediately instead of dereferencing the NULL pointer. This prevents the SIGSEGV crash. [patch_id=6590940]

Preconditions

  • configThe HAProxy worker process must exhaust its pool_head_hpack_tbl memory pool, causing hpack_dht_alloc() to return NULL.
  • inputAn attacker must be able to send HPACK-encoded HTTP/2 frames that trigger dynamic table insertions.

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.