Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN179
_____________________________________________________________________

DATE                : 17/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running HAProxy versions prior
                        to 3.0.16, 3.1.14, 3.2.12, 3.3.3.

=====================================================================
https://www.haproxy.com/blog/cves-2026-quic-denial-of-service
_____________________________________________________________________

 February 2026 — CVE-2026-26080 and CVE-2026-26081: QUIC denial of 
service
February 12th, 2026


HAProxy Technologies

The latest versions of HAProxy Community, HAProxy Enterprise, and 
HAProxy ALOHA fix two vulnerabilities in the QUIC library. These 
issues could allow a remote attacker to cause a denial of service. The 
vulnerabilities involve malformed packets that can crash the HAProxy 
process through an integer underflow or an infinite loop.

If you use an affected product with the QUIC component enabled, you 
should update to a fixed version as soon as possible. Instructions are 
provided below on how to determine if your HAProxy installation is 
using QUIC. If you cannot yet update, you can temporarily workaround 
this issue by disabling the QUIC component.
Vulnerability details

    CVE Identifiers: CVE-2026-26080 and CVE-2026-26081

    CVSSv3.1 Score: 7.5 (High)

    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Reported by: Asim Viladi Oglu Manizada


Description

Two separate issues were found in how HAProxy processes QUIC packets:

    Token length underflow (CVE-2026-26081): This affects versions 3.0 
(ALOHA 16.5) and later. A remote, unauthenticated attacker can 
cause a process crash. This happens by sending a malformed QUIC 
Initial packet that causes an integer underflow during token 
validation.

    Truncated varint loop (CVE-2026-26080): This affects versions 3.2 
(ALOHA 17.0) and later. An attacker can cause a denial of service. 
By sending a QUIC packet with a truncated varint, the frame parser 
enters an infinite loop until the system watchdog terminates the 
process.


Repeated attacks can  enable a lasting denial of service for your 
environment.


Affected versions and remediation

HAProxy Technologies released new versions of its products on 
Thursday, February 12, 2026, to patch these vulnerabilities.
CVE-2026-26081 (Token length underflow)

Product          Affected version(s)          Fixed version

HAProxy Community / Performance
Packages                   3.0 and later     3.0.16
                                             3.1.14
                                             3.2.12
                                             3.3.3

HAProxy Enterprise    3.0 and later
                                        hapee-lb-3.0r1-1.0.0-351.929
                                        hapee-lb-3.1r1-1.0.0-355.744
                                        hapee-lb-3.2r1-1.0.0-365.548

HAProxy ALOHA       16.5 and later          16.5.30
                                            17.0.18
                                            17.5.16

CVE-2026-26080 (Truncated varint loop)

Product             Affected version(s)            Fixed version

HAProxy Community / Performance   
Packages                      3.2 and later        3.2.12
                                                   3.3.3

HAProxy Enterprise     3.2 and later     hapee-lb-3.2r1-1.0.0-365.548

HAProxy ALOHA                 17.0 and later       17.0.18
                                                   17.5.16


Test if you’re affected

Users of affected products can determine if the QUIC component is 
enabled on their HAProxy installation and whether they are affected:

For a single installation (test a single config file):

grep -iE "quic" /path/to/haproxy/config && echo "WARNING: QUIC may be 
enabled" || echo "QUIC not enabled"

For multiple installations (test each config file in folder):

grep -irE "quic" /path/to/haproxy/folder && echo "WARNING: QUIC may be 
enabled" || echo "QUIC not enabled"

A response containing “QUIC may be enabled” indicates your HAProxy 
installation is potentially affected and you need to manually review 
and disable any QUIC listeners. The fastest method is by using the 
global keyword tune.quic.listen off (for version 3.3) or no-quic (3.2 
and below).


Update instructions

Users of affected products should update immediately by pulling the 
latest image or package for their release track.

    HAProxy Enterprise users can find update instructions in the 
customer portal.

    HAProxy ALOHA users should follow the standard firmware update 
procedure in your documentation.

    HAProxy Community users should compile from the latest source or 
update via their distribution's package manager or available 
images.


Note

Cloud images will be available shortly, depending on approval of your 
respective marketplace or repository.
Support

If you are an HAProxy customer and have questions about this advisory 
or the update process, please contact our support team via the 
Customer Portal.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================