Home

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

PUBLISHED Reserved 2026-03-22 | Published 2026-04-13 | Updated 2026-04-22 | Assigner mitre




MEDIUM: 4.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Problem types

CWE-130 Improper Handling of Length Parameter Inconsistency

Product status

Default status
unaffected

2.6 (custom) before 3.3.6
affected

References

r3verii.github.io/...aproxy-h3-standalone-fin-smuggling.html exploit

www.haproxy.org

www.haproxy.com/documentation/haproxy-aloha/changelog/

github.com/...ommit/05a295441c621089ffa4318daf0dbca2dd756a84

www.mail-archive.com/haproxy@formilux.org/msg46752.html

r3verii.github.io/...aproxy-h3-standalone-fin-smuggling.html

cve.org (CVE-2026-33555)

nvd.nist.gov (CVE-2026-33555)

Download JSON