CVE-2018-10184
HIGHHAProxy < 1.8.8 - Heap-Based Buffer Overflow via H2 Frame Length Mismatch
Title source: llmDescription
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain.
References (3)
Core 3
Core References
Various Sources x_refsource_confirm
http://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1372
Various Sources x_refsource_confirm
http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588
Scores
CVSS v3
7.5
EPSS
0.0843
EPSS Percentile
94.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-119
Status
published
Products (5)
haproxy/haproxy
< 1.8.8
redhat/enterprise_linux
7.0
redhat/enterprise_linux
7.3
redhat/enterprise_linux
7.4
redhat/enterprise_linux
7.5
Published
May 09, 2018
Tracked Since
Feb 18, 2026