Hi, This release comes a bit earlier than expected. The reason is that it contains one major fix related to QUIC. This bug was reported by Asim Viladi Oglu Manizada and can be exploited to remotely trigger a crash of the process. So please upgrade immediately if you're using QUIC listeners. Note that by default, QUIC is not enabled, so only users with explicit QUIC bind lines added in the configuration are vulnerable. Use the following command on your config files to find matching lines :
$ grep '^[^#]*bind.*quic' <config_file> The patch is related to the QUIC packet parsing code. It is a case of integer overflow when handling a token and is assigned to CVE-2026-26081 report. Note that contrary to 3.2 and above, 3.1 version is not affected by CVE-2026-26080. If you want more details, please refer to the following article from the haproxy.com blog : https://www.haproxy.com/blog/cves-2026-quic-denial-of-service Aside from this major patch, this release comes with a series of other less important fixes. Here is the traditional summary of them. An internal fix was made for applets to ensure that their I/O handlers is never called after the shut operation. Previously, this was not the case, in violation with the applets API. This could cause unexpected issues. One of them affected the prometheus exporter, with a crash encountered when accessing a corrupted server instance. With the API now strictly enforces, this is no longer the case. A bug was discovered on the haproxy task scheduler which could prevent a sleeping thread from being woken up to accept new connections. This bug is in fact really rare, as it only happens when the haproxy process is totally idle and without any outgoing connections, which never happen in real case scenarii. In 3.0, a new server setting "hash-key" has been introduced for extra configuration of the consistent hash load balancing method. However, due to an internal code issue, this was not properly taken into account for dynamic servers added via the runtime API. Thus, load-balancing server init module has been updated to fix the issue and prevent any similar ones in the future. Along with this change, documentation related to "hash-key" has been extended when using "id", which is the default value. This now includes a description to indicate that only the 28 lowest bit of the server ID are taken into account, so anything above 268435456 will generate duplicate keys. This also affects "random" load-balancing algorithm. An issue prevented haproxy startup on FreeBSD when using nameservers with the TCP protocol. The function which parses network addresses has been adjusted and the problem is now solved. This is the end of the changes for this release. Once again, users relying on QUIC have to update immediately. If this is not possible due to a delay constraint, know that you can add the keyword "no-quic" in the global section : this effectively disables any QUIC listeners in the configuration without having to comment each QUIC bind lines, rendering the process immune to the crashes. global no-quic In any case, every users is advised to update to benefit from all the latest improvements listed here. Many thanks to Asim Viladi Oglu Manizada for having found the QUIC security bugs and reaching us. His analysis was very detailled and helped us to solve quickly the issues. Finally, thanks also to every other contributer on this release. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.1/src/ Git repository : https://git.haproxy.org/git/haproxy-3.1.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.1.git Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (1): BUG/MAJOR: quic: reject invalid token Aperence (1): BUG/MINOR: config: Fix setting of alt_proto Christopher Faulet (2): BUG/MAJOR: applet: Don't call I/O handler if the applet was shut BUG/MEDIUM: applet: Fix test on shut flags for legacy applets Egor Shestakov (3): DOC: internals: cleanup few typos in master-worker documentation BUG/MINOR: startup: fix allocation error message of progname string BUG/MINOR: startup: handle a possible strdup() failure Olivier Houchard (1): BUG/MEDIUM: threads: Atomically set TH_FL_SLEEPING and clr FL_NOTIFIED Willy Tarreau (3): CLEANUP: haproxy: fix bad line wrapping in run_poll_loop() BUG/MEDIUM: lb-chash: always properly initialize lb_nodes with dynamic servers DOC: config: mention the limitation on server id range for consistent hash --- -- Amaury Denoyelle
