CVE-2026-22045

Traefik Jam: The Eternal Handshake Denial of Service

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 15, 2026·5 min read·4 visits

Executive Summary (TL;DR)

Traefik's "fast path" for handling Let's Encrypt certificate validations (TLS-ALPN-01) failed to implement timeouts during the internal TLS handshake. By initiating a connection with the specific ALPN header and then halting communication, an attacker can force the server to wait indefinitely. This leaks goroutines and file descriptors, eventually crashing the load balancer.

A resource exhaustion vulnerability in Traefik's ACME TLS-ALPN-01 challenge handler allows unauthenticated attackers to trigger infinite hangs during the TLS handshake, consuming file descriptors and goroutines.

Official Patches

TraefikTraefik v2.11.35 Release Notes
TraefikTraefik v3.6.7 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

Traefik Proxy v2.x < 2.11.35Traefik Proxy v3.x < 3.6.7

Affected Versions Detail

Product
Affected Versions
Fixed Version
Traefik Proxy
Traefik
< 2.11.352.11.35
Traefik Proxy
Traefik
>= 3.0.0-beta1, < 3.6.73.6.7
AttributeDetail
CWECWE-770 (Resource Exhaustion)
CVSS v3.15.9 (Medium)
Attack VectorNetwork (Remote)
ImpactDenial of Service
ProtocolTLS / ACME
Fix ComplexityLow (Update)

MITRE ATT&CK Mapping

T1499.003Endpoint Denial of Service: Application Exhaustion
Impact
T1498Network Denial of Service
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling

Known Exploits & Detection

Patch Regression TestThe regression test in the commit serves as a functional PoC.

Vulnerability Timeline

Fix committed to master branch
2026-01-08
GHSA-cwjm-3f7h-9hwq published
2026-01-15
CVE-2026-22045 Assigned
2026-01-15