Hi, This release comes a bit earlier than expected. The reason is that it contains two major fixes related to QUIC. These bugs were reported by Asim Viladi Oglu Manizada and can be exploited to remotely trigger a crash of the process. So please upgrade immediately if you're using QUIC listeners. Note that by default, QUIC is not enabled, so only users with explicit QUIC bind lines added in the configuration are vulnerable. Use the following command on your config files to find matching lines :
$ grep '^[^#]*bind.*quic' <config_file> The two patches are related to the QUIC packet parsing code. The first case is an integer overflow when handling a token and is assigned to CVE-2026-26081 report. The second one happens when decoding the frame type and causes an infinite loop which triggers the haproxy watchdog. It is assigned to CVE-2026-26080 report. If you want more details, please refer to the following article from the haproxy.com blog : https://www.haproxy.com/blog/cves-2026-quic-denial-of-service Aside from these two major patches, this release comes with a series of other less important fixes. Here is the traditional summary of them. Previously, a client abort during a pending SSL connection could not be interrupted prior to the handshake completion, which result in a wasted CPU usage. Now, if "option abortonclose" is set, the connection can be aborted prior to any heavy computation. This is explicitely not performed if the option is not present, as this could break health checks from other haproxy or even other components. An internal fix was made for applets to ensure that their I/O handlers is never called after the shut operation. Previously, this was not the case, in violation with the applets API. This could cause unexpected issues. One of them affected the prometheus exporter, with a crash encountered when accessing a corrupted server instance. With the API now strictly enforces, this is no longer the case. A bug was discovered on the haproxy task scheduler which could prevent a sleeping thread from being woken up to accept new connections. This bug is in fact really rare, as it only happens when the haproxy process is totally idle and without any outgoing connections, which never happen in real case scenarii. In 3.0, a new server setting "hash-key" has been introduced for extra configuration of the consistent hash load balancing method. However, due to an internal code issue, this was not properly taken into account for dynamic servers added via the runtime API. Thus, load-balancing server init module has been updated to fix the issue and prevent any similar ones in the future. Along with this change, documentation related to "hash-key" has been extended when using "id", which is the default value. This now includes a description to indicate that only the 28 lowest bit of the server ID are taken into account, so anything above 268435456 will generate duplicate keys. This also affects "random" load-balancing algorithm. The CPU policy "performance" and "efficiency" have been fixed as the calculation was wrongly based on the number of CPUs instead of cores. This resulted in an inefficient process allocation on some platform, most notably with intel's 14th gen CPUs which combine efficiency and performance cores. An issue prevented haproxy startup on FreeBSD when using nameservers with the TCP protocol. The function which parses network addresses has been adjusted and the problem is now solved. This is the end of the changes for this release. Once again, users relying on QUIC have to update immediately. If this is not possible due to a delay constraint, know that you can add the keyword "no-quic" in the global section : this effectively disables any QUIC listeners in the configuration without having to comment each QUIC bind lines, rendering the process immune to the crashes. global no-quic In any case, every users is advised to update to benefit from all the latest improvements listed here. Many thanks to Asim Viladi Oglu Manizada for having found the QUIC security bugs and reaching us. His analysis was very detailled and helped us to solve quickly the issues. Finally, thanks also to every other contributer on this release. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (2): BUG/MAJOR: quic: reject invalid token BUG/MAJOR: quic: fix parsing frame type Aperence (1): BUG/MINOR: config: Fix setting of alt_proto Christopher Faulet (2): BUG/MAJOR: applet: Don't call I/O handler if the applet was shut BUG/MEDIUM: applet: Fix test on shut flags for legacy applets Egor Shestakov (3): DOC: internals: cleanup few typos in master-worker documentation BUG/MINOR: startup: fix allocation error message of progname string BUG/MINOR: startup: handle a possible strdup() failure Olivier Houchard (1): BUG/MEDIUM: threads: Atomically set TH_FL_SLEEPING and clr FL_NOTIFIED Willy Tarreau (6): MINOR: rawsock: introduce CO_RFL_TRY_HARDER to detect closures on complete reads MEDIUM: ssl: don't always process pending handshakes on closed connections CLEANUP: haproxy: fix bad line wrapping in run_poll_loop() BUG/MINOR: cpu-topo: count cores not cpus to distinguish core types BUG/MEDIUM: lb-chash: always properly initialize lb_nodes with dynamic servers DOC: config: mention the limitation on server id range for consistent hash --- -- Amaury Denoyelle
