2457920 – (CVE-2026-33555) CVE-2026-33555 haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization

Bug 2457920 (CVE-2026-33555) - CVE-2026-33555 haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization

Summary: CVE-2026-33555 haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchr...

Keywords:
Status:	NEW
Alias:	CVE-2026-33555
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457988
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-13 17:01 UTC by OSIDB Bzimport
Modified:	2026-04-13 20:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-13 17:01:25 UTC

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Note You need to log in before you can comment on or make changes to this bug.