CVE-2026-26999

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.38 and versions prior to 3.6.9

Description Traefik, an HTTP reverse proxy and load balancer, has an issue in its handling of TLS handshakes on TCP routers. The read deadline used for protocol sniffing is cleared before the TLS handshake is completed. If a TLS handshake read error occurs, the code attempts a second handshake, ignoring the initial error. An unauthenticated remote client can exploit this by sending an incomplete TLS record and halting further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening numerous stalled connections simultaneously, an attacker can exhaust system resources like file descriptors and goroutines, leading to a degradation of service availability for all services on the affected entrypoint.

Recommendations Traefik versions prior to 2.11.38 should be updated to version 2.11.38 or later. Traefik versions prior to 3.6.9 should be updated to version 3.6.9 or later.