Hi,
HAProxy 2.4.36 was released on 2026/07/02. It added 23 new commits
after version 2.4.35.
HAProxy 2.4 has reached its end of life and this is expected to be its last
release. There will be no further bug or security fixes for this branch. If
you're still running 2.4 in production, please plan your upgrade now. Some
pending fixes were backported to this released:
* In the FCGI multiplexer, an integer overflow was fixed: the unsigned
16-bit integer used for the record length overflowed to 0 when the
record length was 65535 and padding was non-zero, causing the state
machine to skip consuming buffer data and parse the remaining bytes as a
new FCGI record header. This could only happen for unknown records or
for STDOUT records received after the end of the response.
CVE-2026-55203 was assigned to this overflow. It must be noted however
that the assigned severity is excessively high relative to the actual
exploitability: triggering this bug requires the FCGI backend server
itself to be compromised and to craft a malicious response with exactly
those values, which is well outside a normal threat model where the
backend is trusted. Additionally, stream ID 0 was not rejected for
application records as required by the FCGI specification, potentially
causing incorrect demultiplexing. When trying to forward data to a
server whose stream was already closed, the FCGI mux claimed to have
consumed buffered data without actually draining them, causing the upper
layer to loop endlessly trying to send. A minor fix also corrected the
computation of contiguous data in the demux buffer.
* The HTTP/1 parser received a fix to filter out all "h2c" values from
Upgrade headers during parsing, preventing protocol confusion when a
client sends unsupported upgrade requests. The WebSocket protocol token
is no longer masked when multiple protocols appear in the Upgrade
header.
* In the H1 mux, the connection/upgrade header value is now duplicated
before being parsed when building outgoing request headers, as the
parsing modified the value in-place and could corrupt shared data.
* A NULL pointer dereference was fixed in the authentication code when an
unconfigured password entry (NULL) was accessed during authentication,
which could crash the process when a user with no password was
configured. The log-forward module treated the month field as a signed
integer, which could cause incorrect log timestamps when the high bit
was set.
* Two bugs were fixed in the cache subsystem. The primary hash was not
always verified in get_secondary_entry(), which could lead to incorrect
cache hits returning the wrong cached response. The maxage value was
being overwritten instead of properly copied during parsing of
cache-control directives.
* Two locking bugs were fixed in the dictionary subsystem, which is used
internally for string deduplication. The read lock was not held while
incrementing the refcount in dict_insert(), creating a race condition
where two concurrent inserts could corrupt the refcount of a shared
entry. The write lock was not held while decrementing the refcount in
dict_entry_unref(), allowing a concurrent lookup to observe an
inconsistent state and potentially access freed memory. A further race
on insert collision was fixed where the refcount was not properly
updated when two threads inserted the same key simultaneously.
* Two bugs were fixed in the Lua integration. An integer underflow was
possible in the Lua cosocket line-read path, causing memory corruption
when fewer bytes than expected were received. Lua was also not filtering
CR, LF, and NUL characters from HTTP headers set by scripts, which could
allow header injection attacks.
* In the DNS resolver code. A validation bug was fixed in
resolv_read_name() where a name compression pointer was not validated
against the response bounds, potentially causing out-of-bounds memory
reads when processing crafted DNS responses.
* In health-check part, when a server inherited ALPN settings from a
default server, the health check was using a reference to the default
server's ALPN string rather than a proper copy, which could lead to
incorrect ALPN negotiation or unexpected behavior if the default server
configuration was modified.
* A NULL pointer dereference was fixed in the HPACK table code: when the
memory pool was exhausted, hpack_dht_defrag() could return NULL and be
immediately dereferenced, crashing the worker process. CVE-2026-55204
was assigned to this issue. Here again the assigned severity is
excessively high: the condition only arises when the process is already
out of memory, at which point the allocator failure itself is likely to
cause other problems before this specific code path is even reached. The
probability of hitting this particular NULL dereference in a production
environment is extremely thin.
* Finally, a few other minor issues were addressed: parameter value
validation in get_server_ph_post() had an incorrect comparison; minor
error-path fixes addressed a dangling pointer on dns_dgram_init()
failure; and the client hello parser had incorrect bounds checks for the
handshake length.
Thanks to everyone for your help on this release!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.4/src/
Git repository : https://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git
Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Christopher Faulet (11):
BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing
BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used
BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default
server
BUG/MEDIUM: dict: hold lock while decrementing refcount in
dict_entry_unref
BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua
cosocket
BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records
BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux
buf
Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name
failure"
BUG/MINOR: cache: Fix copy of value when parsing maxage
BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making
headers
MINOR: version: set the EOL for the 2.4 branch
Tristan Madani (2):
BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag()
BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp
William Lallemand (1):
BUG/MEDIUM: auth: fix unconfigured password NULL deref
Willy Tarreau (9):
BUG/MEDIUM: dict: hold read lock while incrementing refcount in
dict_insert
BUG/MINOR: backend: correct parameter value validation in
get_server_ph_post()
BUG/MEDIUM: dns: fix long loops in additional records parse on name
failure
BUG/MEDIUM: resolvers: fix name compression pointer validation in
resolv_read_name()
BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure
path
BUG/MINOR: dict: fix refcount race on insert collision
BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry()
BUG/MINOR: payload: fix the handshake length bounds check
smp_client_hello_parse()
BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers
--
Christopher Faulet