FKIE_CVE-2026-26999

Vulnerability from fkie_nvd - Published: 2026-03-05 19:16 - Updated: 2026-03-06 15:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.
References
security-advisories@github.comhttps://github.com/traefik/traefik/releases/tag/v2.11.38Product, Release Notes
security-advisories@github.comhttps://github.com/traefik/traefik/releases/tag/v3.6.9Product, Release Notes
security-advisories@github.comhttps://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94Patch, Vendor Advisory
Impacted products
Vendor Product Version
traefik traefik *
traefik traefik *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F729E45-F8B4-4A50-A2BE-C52CFFEB888D",
              "versionEndExcluding": "2.11.38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFEBE8EC-89F8-415A-8BB4-209F070117B7",
              "versionEndExcluding": "3.6.9",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9."
    },
    {
      "lang": "es",
      "value": "Traefik es un proxy inverso HTTP y balanceador de carga. Antes de las versiones 2.11.38 y 3.6.9, existe una potencial vulnerabilidad en Traefik al gestionar el handshake TLS en routers TCP. Cuando Traefik procesa una conexi\u00f3n TLS en un router TCP, el plazo de lectura utilizado para limitar el sniffing del protocolo se borra antes de que se complete el handshake TLS. Cuando ocurre un error de lectura en el handshake TLS, el c\u00f3digo intenta un segundo handshake con diferentes par\u00e1metros de conexi\u00f3n, ignorando silenciosamente el error inicial. Un cliente remoto no autenticado puede explotar esto enviando un registro TLS incompleto y deteniendo la transmisi\u00f3n de datos posterior, lo que hace que el handshake TLS se detenga indefinidamente y mantenga las conexiones abiertas. Al abrir muchas de estas conexiones estancadas en paralelo, un atacante puede agotar los descriptores de archivo y las goroutines, degradando la disponibilidad de todos los servicios en el punto de entrada afectado. Este problema ha sido parcheado en las versiones 2.11.38 y 3.6.9."
    }
  ],
  "id": "CVE-2026-26999",
  "lastModified": "2026-03-06T15:27:05.150",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T19:16:05.323",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.