The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. This can lead to a fully controlled relative out-of-bounds write when processing a malicious HTTP2 request (or response).
6313a8193a04a7546984327f36401b3e595cd897bef3968ddef00a3d7d80f2c5