The latest versions of HAProxy Community, HAProxy Enterprise, and HAProxy ALOHA fix two vulnerabilities in the QUIC library. These issues could allow a remote attacker to cause a denial of service. The vulnerabilities involve malformed packets that can crash the HAProxy process through an integer underflow or an infinite loop.
If you use an affected product with the QUIC component enabled, you should update to a fixed version as soon as possible. Instructions are provided below on how to determine if your HAProxy installation is using QUIC. If you cannot yet update, you can temporarily workaround this issue by disabling the QUIC component.
Vulnerability details
CVE Identifiers: CVE-2026-26080 and CVE-2026-26081
CVSSv3.1 Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reported by: Asim Viladi Oglu Manizada
Description
Two separate issues were found in how HAProxy processes QUIC packets:
Token length underflow (CVE-2026-26081): This affects versions 3.0 (ALOHA 16.5) and later. A remote, unauthenticated attacker can cause a process crash. This happens by sending a malformed QUIC Initial packet that causes an integer underflow during token validation.
Truncated varint loop (CVE-2026-26080): This affects versions 3.2 (ALOHA 17.0) and later. An attacker can cause a denial of service. By sending a QUIC packet with a truncated varint, the frame parser enters an infinite loop until the system watchdog terminates the process.
Repeated attacks can enable a lasting denial of service for your environment.
Affected versions and remediation
HAProxy Technologies released new versions of its products on Thursday, February 12, 2026, to patch these vulnerabilities.
CVE-2026-26081 (Token length underflow)
Product | Affected version(s) | Fixed version |
HAProxy Community / Performance Packages | 3.0 and later | 3.0.16 3.1.14 3.2.12 3.3.3 |
HAProxy Enterprise | 3.0 and later | hapee-lb-3.0r1-1.0.0-351.929 hapee-lb-3.1r1-1.0.0-355.744 hapee-lb-3.2r1-1.0.0-365.548 |
HAProxy ALOHA | 16.5 and later | 16.5.30 17.0.18 17.5.16 |
CVE-2026-26080 (Truncated varint loop)
Product | Affected version(s) | Fixed version |
HAProxy Community / Performance Packages | 3.2 and later | 3.2.12 3.3.3 |
HAProxy Enterprise | 3.2 and later | hapee-lb-3.2r1-1.0.0-365.548 |
HAProxy ALOHA | 17.0 and later | 17.0.18 17.5.16 |
Test if you’re affected
Users of affected products can determine if the QUIC component is enabled on their HAProxy installation and whether they are affected:
For a single installation (test a single config file):
grep -iE "quic" /path/to/haproxy/config && echo "WARNING: QUIC may be enabled" || echo "QUIC not enabled"For multiple installations (test each config file in folder):
grep -irE "quic" /path/to/haproxy/folder && echo "WARNING: QUIC may be enabled" || echo "QUIC not enabled"A response containing “QUIC may be enabled” indicates your HAProxy installation is potentially affected and you need to manually review and disable any QUIC listeners. The fastest method is by using the global keyword tune.quic.listen off (for version 3.3) or no-quic (3.2 and below).
Update instructions
Users of affected products should update immediately by pulling the latest image or package for their release track.
HAProxy Enterprise users can find update instructions in the customer portal.
HAProxy ALOHA users should follow the standard firmware update procedure in your documentation.
HAProxy Community users should compile from the latest source or update via their distribution's package manager or available images.
Cloud images will be available shortly, depending on approval of your respective marketplace or repository.
Support
If you are an HAProxy customer and have questions about this advisory or the update process, please contact our support team via the Customer Portal.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
