Advisories » MGASA-2026-0146

Updated haproxy packages fix security vulnerability

Publication date: 16 May 2026
Modification date: 16 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33555

Description

The HTTP/3 parser does not check that the received body length matches a
previously announced content-length when the stream is closed via a
frame with an empty payload. This can cause desynchronization issues
with the backend server and could be used for request smuggling.
(CVE-2026-33555)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35416
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/B3PXHUYDTDFG5IIQSPNJLLIEQV4Z5WK6/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33555

SRPMS

9/core

• haproxy-2.8.18-1.1.mga9