{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-26999",
"tracking": {
"current_release_date": "2026-03-25T18:15:07.544867Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-26999",
"initial_release_date": "2026-03-04T18:56:50.103080Z",
"revision_history": [
{
"date": "2026-03-04T18:56:50.103080Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-04T18:56:54.802483Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-05T00:12:52.543877Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-05T00:12:56.668279Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T18:39:13.295927Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-05T18:39:16.058173Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T19:29:01.652563Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-05T19:29:07.993870Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T22:48:56.634601Z",
"number": "9",
"summary": "References created (1)."
},
{
"date": "2026-03-06T00:12:41.495623Z",
"number": "10",
"summary": "References created (1)."
},
{
"date": "2026-03-06T00:27:33.435917Z",
"number": "11",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| Product Identifiers created (1).| Product Remediations created (2).| References created (5).| CWES updated (1).| Vendor_assessment created."
},
{
"date": "2026-03-06T00:27:41.694883Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-06T14:55:38.992041Z",
"number": "13",
"summary": "Source created.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-06T14:55:43.586665Z",
"number": "14",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-06T16:25:08.692560Z",
"number": "15",
"summary": "Products connected (2).| Product Identifiers created (2)."
},
{
"date": "2026-03-06T16:25:11.620510Z",
"number": "16",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-06T16:39:02.790467Z",
"number": "17",
"summary": "Unknown change."
},
{
"date": "2026-03-20T09:42:51.217446Z",
"number": "18",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-20T09:42:53.268367Z",
"number": "19",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-25T18:15:03.884356Z",
"number": "20",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (4)."
},
{
"date": "2026-03-25T18:15:06.551842Z",
"number": "21",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "21"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/3",
"product": {
"name": "vers:rpm/3",
"product_id": "CSAFPID-1441150",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_devspaces:3"
}
}
}
],
"category": "product_name",
"name": "Red Hat OpenShift Dev Spaces"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/unknown",
"product": {
"name": "vers:rpm/unknown",
"product_id": "CSAFPID-2485335"
}
}
],
"category": "product_name",
"name": "traefik-rhel9"
}
],
"category": "product_family",
"name": "Red Hat OpenShift Dev Spaces"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<2.11.38",
"product": {
"name": "vers:unknown/<2.11.38",
"product_id": "CSAFPID-5763353",
"product_identification_helper": {
"cpe": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/<3.6.9",
"product": {
"name": "vers:unknown/<3.6.9",
"product_id": "CSAFPID-5763354"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<2.11.38",
"product": {
"name": "vers:unknown/>=0|<2.11.38",
"product_id": "CSAFPID-5759450"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<3.6.9",
"product": {
"name": "vers:unknown/>=0|<3.6.9",
"product_id": "CSAFPID-5759451"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=3.0.0|<3.6.9",
"product": {
"name": "vers:unknown/>=3.0.0|<3.6.9",
"product_id": "CSAFPID-5766938",
"product_identification_helper": {
"cpe": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Traefik"
}
],
"category": "vendor",
"name": "Traefik"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26999",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "## Impact\n\nThere is a potential vulnerability in Traefik managing TLS handshake on TCP routers.\n\nWhen Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open.\n\nBy opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.38\n- https://github.com/traefik/traefik/releases/tag/v3.6.9\n\n## Workarounds\n\nNo workaround available.\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n\nOriginal Description
\n\nTraefik's TCP router uses a connection-level read deadline to bound protocol sniffing (peeking a TLS client hello), but then clears the deadline via conn.SetDeadline(time.Time{}) before delegating the connection to TLS forwarding.\n\nA remote unauthenticated client can send an incomplete TLS record header and stop sending data. After the initial peek times out, the router clears the deadline and the subsequent TLS handshake reads can stall indefinitely, holding connections open and consuming resources.\n\n### Expected vs Actual\n\nExpected: if an entrypoint-level read deadline is used to bound initial protocol sniffing, TLS handshake reads should remain bounded by a deadline (either the same deadline is preserved, or a dedicated handshake timeout is enforced).\n\nActual: after protocol sniffing the router clears the connection deadline and delegates to TLS handling; an attacker can keep the TLS handshake stalled beyond the configured read timeout.\n\n### Severity\n\nHIGH\nCWE: CWE-400 (Uncontrolled Resource Consumption)\n\n### Affected Code\n\n- pkg/server/router/tcp/router.go: (*Router).ServeTCP clears the deadline before TLS forwarding\n- conn.SetDeadline(time.Time{}) removes the entrypoint-level deadline that previously bounded reads\n\n### Root Cause\n\nIn (*Router).ServeTCP, after sniffing a TLS client hello, the router removes the connection read deadline:\n\n // Remove read/write deadline and delegate this to underlying TCP server\n // (for now only handled by HTTP Server)\n if err := conn.SetDeadline(time.Time{}); err != nil {\n ...\n }\n\nTLS handshake reads that happen after this point are not guaranteed to have any deadline, so a client that stops sending bytes can keep the connection open indefinitely.\n\n### Attacker Control\n\nAttacker-controlled input is the raw TCP byte stream on an entrypoint that routes to a TLS forwarder. The attacker controls:\n\n1. Sending a partial TLS record header (enough to trigger the TLS sniffing path)\n2. Stopping further sends so the subsequent handshake read blocks\n\n### Impact\n\nEach stalled connection occupies file descriptors and goroutines (and may consume additional memory depending on buffering). By opening many such connections in parallel, an attacker can cause resource exhaustion and degrade availability.\n\n### Reproduction\n\nAttachments include poc.zip with a self-contained integration harness. It pins the repository commit, applies fix.patch as the control variant, and runs a regression-style test that demonstrates the stall in canonical mode and the timeout in control mode.\n\nRun canonical (vulnerable):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nCanonical output excerpt: PROOF_MARKER\n\nRun control (deadline preserved / no stall):\n\n unzip poc.zip -d poc\n cd poc\n make control\n\nControl output excerpt: NC_MARKER\n\n### Recommended Fix\n\nDo not clear the entrypoint-level deadline prior to completing TLS handshake, or enforce a dedicated handshake timeout for the TLS forwarder path.\n\nFix accepted when: an incomplete TLS record cannot stall past the configured entrypoint-level read deadline (or an explicit handshake timeout), and a regression test covers the canonical/control behavior.\n\n ",
"title": "github - https://github.com/advisories/GHSA-xw98-5q62-jx94"
},
{
"category": "description",
"text": "## Impact\n\nThere is a potential vulnerability in Traefik managing TLS handshake on TCP routers.\n\nWhen Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open.\n\nBy opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.38\n- https://github.com/traefik/traefik/releases/tag/v3.6.9\n\n## Workarounds\n\nNo workaround available.\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n\nOriginal Description
\n\nTraefik's TCP router uses a connection-level read deadline to bound protocol sniffing (peeking a TLS client hello), but then clears the deadline via conn.SetDeadline(time.Time{}) before delegating the connection to TLS forwarding.\n\nA remote unauthenticated client can send an incomplete TLS record header and stop sending data. After the initial peek times out, the router clears the deadline and the subsequent TLS handshake reads can stall indefinitely, holding connections open and consuming resources.\n\n### Expected vs Actual\n\nExpected: if an entrypoint-level read deadline is used to bound initial protocol sniffing, TLS handshake reads should remain bounded by a deadline (either the same deadline is preserved, or a dedicated handshake timeout is enforced).\n\nActual: after protocol sniffing the router clears the connection deadline and delegates to TLS handling; an attacker can keep the TLS handshake stalled beyond the configured read timeout.\n\n### Severity\n\nHIGH\nCWE: CWE-400 (Uncontrolled Resource Consumption)\n\n### Affected Code\n\n- pkg/server/router/tcp/router.go: (*Router).ServeTCP clears the deadline before TLS forwarding\n- conn.SetDeadline(time.Time{}) removes the entrypoint-level deadline that previously bounded reads\n\n### Root Cause\n\nIn (*Router).ServeTCP, after sniffing a TLS client hello, the router removes the connection read deadline:\n\n // Remove read/write deadline and delegate this to underlying TCP server\n // (for now only handled by HTTP Server)\n if err := conn.SetDeadline(time.Time{}); err != nil {\n ...\n }\n\nTLS handshake reads that happen after this point are not guaranteed to have any deadline, so a client that stops sending bytes can keep the connection open indefinitely.\n\n### Attacker Control\n\nAttacker-controlled input is the raw TCP byte stream on an entrypoint that routes to a TLS forwarder. The attacker controls:\n\n1. Sending a partial TLS record header (enough to trigger the TLS sniffing path)\n2. Stopping further sends so the subsequent handshake read blocks\n\n### Impact\n\nEach stalled connection occupies file descriptors and goroutines (and may consume additional memory depending on buffering). By opening many such connections in parallel, an attacker can cause resource exhaustion and degrade availability.\n\n### Reproduction\n\nAttachments include poc.zip with a self-contained integration harness. It pins the repository commit, applies fix.patch as the control variant, and runs a regression-style test that demonstrates the stall in canonical mode and the timeout in control mode.\n\nRun canonical (vulnerable):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nCanonical output excerpt: PROOF_MARKER\n\nRun control (deadline preserved / no stall):\n\n unzip poc.zip -d poc\n cd poc\n make control\n\nControl output excerpt: NC_MARKER\n\n### Recommended Fix\n\nDo not clear the entrypoint-level deadline prior to completing TLS handshake, or enforce a dedicated handshake timeout for the TLS forwarder path.\n\nFix accepted when: an incomplete TLS record cannot stall past the configured entrypoint-level read deadline (or an explicit handshake timeout), and a regression test covers the canonical/control behavior.\n\n ",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-xw98-5q62-jx94.json?alt=media"
},
{
"category": "description",
"text": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.",
"title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-26999"
},
{
"category": "description",
"text": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.",
"title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-26999"
},
{
"category": "description",
"text": "No description is available for this CVE.",
"title": "redhat - https://access.redhat.com/security/cve/CVE-2026-26999"
},
{
"category": "description",
"text": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) in github.com/traefik/traefik",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4594.json?alt=media"
},
{
"category": "other",
"text": "0.00017",
"title": "EPSS"
},
{
"category": "other",
"text": "4.2",
"title": "NCSC Score"
},
{
"category": "other",
"text": "The value of the most recent EPSS score, There is product_remediation data available from source Redhat",
"title": "NCSC Score top decreasing factors"
},
{
"category": "details",
"text": "Severity: 3\n",
"title": "Vendor assessment"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5759450",
"CSAFPID-5759451",
"CSAFPID-5763353",
"CSAFPID-5763354",
"CSAFPID-1441150",
"CSAFPID-2485335",
"CSAFPID-5766938"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-xw98-5q62-jx94"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-xw98-5q62-jx94"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-xw98-5q62-jx94.json?alt=media"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26999"
},
{
"category": "external",
"summary": "Source raw - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/26xxx/CVE-2026-26999.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26999"
},
{
"category": "external",
"summary": "Source raw - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-26999"
},
{
"category": "external",
"summary": "Source - redhat",
"url": "https://access.redhat.com/security/cve/CVE-2026-26999"
},
{
"category": "external",
"summary": "Source raw - redhat",
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26999.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26999"
},
{
"category": "external",
"summary": "Source raw - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4594.json?alt=media"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-xw98-5q62-jx94"
},
{
"category": "external",
"summary": "Reference - github; osv; redhat",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26999"
},
{
"category": "external",
"summary": "Reference - redhat",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26999"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"CSAFPID-1441150",
"CSAFPID-2485335"
]
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-1441150",
"CSAFPID-2485335",
"CSAFPID-5759450",
"CSAFPID-5759451",
"CSAFPID-5763353",
"CSAFPID-5763354",
"CSAFPID-5766938"
]
}
],
"title": "CVE-2026-26999"
}
]
}