CVE-2026-22045 Overview
A denial of service vulnerability exists in Traefik, an HTTP reverse proxy and load balancer, affecting versions prior to 2.11.35 and 3.6.7. The vulnerability resides in the ACME TLS-ALPN fast path used for automatic TLS certificate generation. When the ACME TLS challenge is enabled, unauthenticated remote attackers can exploit this flaw to exhaust server resources by tying up Go routines and file descriptors indefinitely.
A malicious client can open numerous connections, send a minimal ClientHello with the acme-tls/1 protocol identifier, and then cease responding. This behavior leads to resource exhaustion and denial of service of the affected entry point, effectively preventing legitimate traffic from being processed.
Critical Impact
Unauthenticated attackers can exhaust server resources (Go routines and file descriptors) causing denial of service by exploiting the ACME TLS-ALPN challenge mechanism in Traefik.
Affected Products
- Traefik versions prior to 2.11.35
- Traefik versions 3.x prior to 3.6.7
- Deployments with ACME TLS challenge enabled
Discovery Timeline
- 2026-01-15 - CVE-2026-22045 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-22045
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in Traefik's implementation of the ACME TLS-ALPN-01 challenge, which is used for automatic certificate generation via Let's Encrypt and other ACME-compatible certificate authorities.
The root issue is that the ACME TLS handshake process lacks proper timeout controls. When a client initiates a TLS connection with the acme-tls/1 Application-Layer Protocol Negotiation (ALPN) identifier, Traefik allocates resources (Go routines and file descriptors) to handle the challenge. However, if the client stops responding after the initial ClientHello, these resources remain allocated indefinitely, waiting for a response that never arrives.
Root Cause
The vulnerability stems from missing timeout mechanisms in the ACME TLS-ALPN challenge handshake implementation within Traefik's TCP router. The pkg/server/router/tcp/router.go file handles incoming TLS connections but did not enforce time limits on the ACME TLS challenge negotiation process. This allowed attackers to hold connections open indefinitely by simply not completing the handshake, leading to progressive resource exhaustion.
Attack Vector
The attack is executed over the network and requires no authentication or user interaction. An attacker performs the following steps:
- Opens multiple TCP connections to the Traefik entry point with ACME TLS challenge enabled
- Sends a minimal TLS ClientHello message with the acme-tls/1 ALPN protocol
- Stops responding after sending the ClientHello, leaving the handshake incomplete
- Repeats the process to exhaust available Go routines and file descriptors
- Once resources are exhausted, legitimate clients cannot establish new connections
The patch introduces proper timeout handling for the ACME TLS handshake process:
import (
"bufio"
"bytes"
+ "context"
"crypto/tls"
"errors"
"io"
Source: GitHub Commit Update
The fix adds context-based timeout handling to ensure that ACME TLS challenge handshakes that do not complete within a reasonable timeframe are terminated, releasing the associated resources.
Detection Methods for CVE-2026-22045
Indicators of Compromise
- Abnormal increase in open file descriptors on Traefik instances
- Growing number of Go routines in Traefik process metrics
- Incomplete TLS handshakes with acme-tls/1 ALPN protocol from the same source IPs
- Connection timeouts or service unavailability on Traefik entry points
Detection Strategies
- Monitor Traefik metrics for unusual spikes in active connections and Go routine counts
- Implement alerting on file descriptor exhaustion thresholds
- Analyze network traffic for patterns of incomplete TLS handshakes with acme-tls/1 ALPN
- Review Traefik logs for connection errors indicating resource exhaustion
Monitoring Recommendations
- Configure monitoring dashboards to track Traefik resource utilization including Go routines and file descriptors
- Set up threshold-based alerts for connection counts and resource allocation anomalies
- Enable detailed TLS handshake logging to identify potential attack patterns
- Monitor entry point availability and response times as early indicators of DoS conditions
How to Mitigate CVE-2026-22045
Immediate Actions Required
- Upgrade Traefik to version 2.11.35 or 3.6.7 immediately if ACME TLS challenge is enabled
- Review current Traefik configuration to identify entry points with ACME TLS challenge enabled
- Implement rate limiting on incoming connections as a temporary protective measure
- Monitor for signs of active exploitation while patching is in progress
Patch Information
Traefik has released security patches addressing this vulnerability:
- Version 2.11.35: GitHub Release v2.11.35
- Version 3.6.7: GitHub Release v3.6.7
The fix adds timeout handling to the ACME TLS-ALPN challenge handshake process, ensuring incomplete handshakes are terminated and resources are released. For detailed technical information, see the GitHub Security Advisory GHSA-cwjm-3f7h-9hwq.
Workarounds
- If immediate patching is not possible, consider temporarily disabling ACME TLS-ALPN challenge and using alternative challenge types (HTTP-01 or DNS-01)
- Implement connection rate limiting at the network level to slow down potential attacks
- Configure firewall rules to limit the number of concurrent connections from individual source IPs
- Use a Web Application Firewall (WAF) or DDoS protection service in front of Traefik
# Configuration example - Temporary rate limiting via Traefik middleware
# Add to your Traefik dynamic configuration
[http.middlewares.rate-limit.rateLimit]
average = 100
burst = 50
sourceCriterion.requestHost = true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
