{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-13T00:00:00Z",
  "bugzilla" : {
    "description" : "haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization",
    "id" : "2457920",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457920"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-130",
  "details" : [ "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.", "A flaw was found in HAProxy. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP/3 request. The HTTP/3 parser fails to verify that the received body length matches the announced content-length when a stream is closed with an empty payload. This desynchronization with the backend server can lead to request smuggling, allowing an attacker to bypass security mechanisms and potentially access unauthorized resources." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-17T00:00:00Z",
    "advisory" : "RHSA-2026:8749",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "haproxy-main-3.0.19-1.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "haproxy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "haproxy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "haproxy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "haproxy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "haproxy",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33555\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33555\nhttps://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84\nhttps://www.haproxy.com/documentation/haproxy-aloha/changelog/\nhttps://www.haproxy.org\nhttps://www.mail-archive.com/haproxy@formilux.org/msg46752.html" ],
  "name" : "CVE-2026-33555",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}