Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Traefik, an HTTP reverse proxy and load balancer, has a flaw affecting TLS handshake handling on TCP routers. During a TCP‑based TLS connection, the router clears the read deadline before completing the handshake. When a read error occurs, the code silently retries with a different set of parameters without reporting the initial failure. This allows a remote, unauthenticated client to send a truncated TLS record and terminate data transmission, causing the handshake to stall forever. The stalled connections consume file descriptors and goroutines, ultimately exhausting system resources and degrading the availability of all services behind the affected entrypoint. The weakness is classified as resource exhaustion (CWE‑400) and improper release of a resource (CWE‑772).

Affected Systems

The vulnerability affects all versions of Traefik prior to 2.11.38 and 3.6.9. Any deployment of the Traefik reverse proxy or load balancer that uses TCP routing with TLS termination and is running an earlier release is potentially impacted.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity issue. The EPSS score is below 1%, reflecting very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based, unauthenticated client that establishes a TLS connection to a vulnerable entrypoint and deliberately sends an incomplete TLS record, causing the server to stall processing. If an attacker opens many such connections concurrently, the server can exhaust file descriptors and goroutines, leading to a denial of service for all users on the affected entrypoint.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.38 or 3.6.9 or later, which patch the TLS handshake logic.
  • If an upgrade cannot occur immediately, configure connection rate limiting on the affected TCP entrypoints to restrict the number of concurrent handshake attempts from any client.
  • Adjust TLS settings to enforce a read deadline or timeout for handshakes, ensuring that stalled connections are terminated and resources are reclaimed promptly.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xw98-5q62-jx94 Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
History

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
Vendors & Products Traefik
Traefik traefik

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.
Title Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:12:05.342Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26999

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:37.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:05.323

Modified: 2026-03-06T15:27:05.150

Link: CVE-2026-26999

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T16:15:36Z

Links: CVE-2026-26999 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses