2430198 – (CVE-2026-22045) CVE-2026-22045 traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion

Bug 2430198 (CVE-2026-22045) - CVE-2026-22045 traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion

Summary: CVE-2026-22045 traefik: Traefik: Denial of Service via ACME TLS-ALPN fast pat...

Keywords:
Status:	NEW
Alias:	CVE-2026-22045
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-15 23:01 UTC by OSIDB Bzimport
Modified:	2026-01-16 08:57 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-15 23:01:37 UTC

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.

Note You need to log in before you can comment on or make changes to this bug.