CVE-2026-22045: Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
(updated )
- Affected code:
pkg/server/router/tcp/router.go(ACME TLS-ALPN handling). - When a ClientHello advertises
acme-tls/1, Traefik intercepts it and callstls.Server(...).Handshake()without any read/write deadlines and without closing the connection afterward. - Immediately before this branch, existing deadlines set by the entrypoint are cleared.
- A client that sends the ALPN marker and then stops responding can keep the goroutine and socket open indefinitely, potentially exhausting the entrypoint under load.
- Exposure is limited to entrypoints where the ACME TLS-ALPN challenge is enabled and ACME bypass is not allowed.
References
- github.com/advisories/GHSA-cwjm-3f7h-9hwq
- github.com/traefik/traefik
- github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
- github.com/traefik/traefik/releases/tag/v2.11.35
- github.com/traefik/traefik/releases/tag/v3.6.7
- github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq
- nvd.nist.gov/vuln/detail/CVE-2026-22045
Code Behaviors & Features
Detect and mitigate CVE-2026-22045 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →