CVE-2026-26999
TLS Handshake Stall Vulnerability in Traefik Causes DoS
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | to 2.11.38 (exc) |
| traefik | traefik | From 3.0.0 (inc) to 3.6.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26999 is a vulnerability in Traefik's handling of TLS handshakes on TCP routers. Traefik clears the read deadline used for protocol sniffing before completing the TLS handshake. If a TLS handshake read error occurs, Traefik tries a second handshake silently ignoring the initial error. An unauthenticated remote attacker can exploit this by sending an incomplete TLS record and then stopping data transmission, causing the TLS handshake to stall indefinitely and the connection to remain open."}, {'type': 'paragraph', 'content': 'By opening many such stalled connections simultaneously, the attacker can exhaust system resources like file descriptors and goroutines, leading to degraded availability of all services on the affected entrypoint.'}] [3]
How can this vulnerability impact me? :
This vulnerability can be exploited to cause a denial of service (DoS) by exhausting system resources such as file descriptors and goroutines. This resource exhaustion degrades the availability of all services running on the affected Traefik entrypoint, potentially making them unresponsive or unavailable to legitimate users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability causes TLS handshakes on TCP routers managed by Traefik to stall indefinitely when an incomplete TLS record is sent and no further data is transmitted. This results in many stalled connections holding resources open.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your network or system, monitor for an unusually high number of open TCP connections to Traefik entrypoints that remain in a stalled or incomplete TLS handshake state for extended periods.'}, {'type': 'paragraph', 'content': 'You can use commands to identify many open connections in a stalled state, such as:'}, {'type': 'list_item', 'content': "Using netstat or ss to count connections to Traefik's TCP ports:"}, {'type': 'list_item', 'content': "netstat -an | grep ':<traefik-port>' | grep ESTABLISHED | wc -l"}, {'type': 'list_item', 'content': "ss -tn state established '( dport = :<traefik-port> )' | wc -l"}, {'type': 'list_item', 'content': 'Using lsof to check open file descriptors by Traefik process:'}, {'type': 'list_item', 'content': 'lsof -p <traefik-pid> | wc -l'}, {'type': 'paragraph', 'content': 'Look for a large number of connections or file descriptors that do not close over time, which may indicate exploitation attempts causing resource exhaustion.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The vulnerability has been patched in Traefik versions 2.11.38 and 3.6.9. The immediate and recommended mitigation step is to upgrade your Traefik deployment to at least one of these versions or later.'}, {'type': 'paragraph', 'content': "No workaround is available to fully mitigate the issue without upgrading, as the root cause is in the TLS handshake timeout handling within Traefik's TCP router."}, {'type': 'paragraph', 'content': 'After upgrading, verify that the TLS handshake error handling improvements are in place to prevent stalled connections from exhausting resources.'}] [1, 2, 3]