On Thu, Feb 12, 2026 at 03:13:41PM +0100, Amaury Denoyelle wrote: > Hi, > > This release comes a bit earlier than expected. The reason is that it > contains two major fixes related to QUIC. These bugs were reported by > Asim Viladi Oglu Manizada and can be exploited to remotely trigger a > crash of the process. So please upgrade immediately if you're using QUIC > listeners. Note that by default, QUIC is not enabled, so only users with > explicit QUIC bind lines added in the configuration are vulnerable. Use > the following command on your config files to find matching lines : > > $ grep '^[^#]*bind.*quic' <config_file> > > The two patches are related to the QUIC packet parsing code. The first > case is an integer overflow when handling a token and is assigned to > CVE-2026-26081 report. The second one happens when decoding the frame > type and causes an infinite loop which triggers the haproxy watchdog. It > is assigned to CVE-2026-26080 report. If you want more details, please > refer to the following article from the haproxy.com blog : > > https://www.haproxy.com/blog/cves-2026-quic-denial-of-service
Thanks Amaury for handling these ones. I'm realizing that we didn't speak about 3.4-dev here. Since the rare users of 3.4-dev are already 100% autonomous on patching/updating/rollbacks and the risk is super low (just a crash, nothing exceptional for -dev), there are no plans to issue an intermediary 3.4-dev with just that, so 3.4-dev5 is still going to be issued next week. Willy
