{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26999", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T01:41:24.607Z", "datePublished": "2026-03-05T16:15:36.437Z", "dateUpdated": "2026-03-06T16:12:05.342Z"}, "containers": {"cna": {"title": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.38", "status": "affected"}, {"version": "< 3.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:15:36.437Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9."}], "source": {"advisory": "GHSA-xw98-5q62-jx94", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:35.966005Z", "id": "CVE-2026-26999", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:12:05.342Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:35.966005Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:37.007Z"}}], "cna": {"title": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)", "source": {"advisory": "GHSA-xw98-5q62-jx94", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.38"}, {"status": "affected", "version": "< 3.6.9"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:15:36.437Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26999", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:12:05.342Z", "dateReserved": "2026-02-17T01:41:24.607Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T16:15:36.437Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F729E45-F8B4-4A50-A2BE-C52CFFEB888D", "versionEndExcluding": "2.11.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFEBE8EC-89F8-415A-8BB4-209F070117B7", "versionEndExcluding": "3.6.9", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9."}], "id": "CVE-2026-26999", "lastModified": "2026-03-06T15:27:05.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:05.323", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Denial of Service due to incomplete TLS handshake", "id": "2444874", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444874"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-26999", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-05T16:15:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26999\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26999\nhttps://github.com/traefik/traefik/releases/tag/v2.11.38\nhttps://github.com/traefik/traefik/releases/tag/v3.6.9\nhttps://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-04-16T12:18:56.590575+00:00", "value": {"mitigation_remediation": ["Upgrade Traefik to version 2.11.38 or 3.6.9 or later, which patch the TLS handshake logic.", "If an upgrade cannot occur immediately, configure connection rate limiting on the affected TCP entrypoints to restrict the number of concurrent handshake attempts from any client.", "Adjust TLS settings to enforce a read deadline or timeout for handshakes, ensuring that stalled connections are terminated and resources are reclaimed promptly."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Traefik prior to 2.11.38 and 3.6.9. Any deployment of the Traefik reverse proxy or load balancer that uses TCP routing with TLS termination and is running an earlier release is potentially impacted.", "description_and_impact": "Traefik, an HTTP reverse proxy and load balancer, has a flaw affecting TLS handshake handling on TCP routers. During a TCP\u2011based TLS connection, the router clears the read deadline before completing the handshake. When a read error occurs, the code silently retries with a different set of parameters without reporting the initial failure. This allows a remote, unauthenticated client to send a truncated TLS record and terminate data transmission, causing the handshake to stall forever. The stalled connections consume file descriptors and goroutines, ultimately exhausting system resources and degrading the availability of all services behind the affected entrypoint. The weakness is classified as resource exhaustion (CWE\u2011400) and improper release of a resource (CWE\u2011772).", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity issue. The EPSS score is below 1%, reflecting very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network\u2011based, unauthenticated client that establishes a TLS connection to a vulnerable entrypoint and deliberately sends an incomplete TLS record, causing the server to stall processing. If an attacker opens many such connections concurrently, the server can exhaust file descriptors and goroutines, leading to a denial of service for all users on the affected entrypoint."}}}}, "created": "2026-03-06T15:01:39.460180+00:00", "updated": "2026-04-16T12:30:06.111486+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}