The latest versions of HAProxy Community , HAProxy Enterprise , and HAProxy ALOHA fix two vulnerabilities in the QUIC library. These issues could allow a remote attacker to cause a denial of service. The vulnerabilities involve malformed packets that can crash the HAProxy process through an integer underflow or an infinite loop. If you use an affected product with the QUIC component enabled, you should update to a fixed version as soon as possible . Instructions are provided below on how to determine if your HAProxy installation is using QUIC. If you cannot yet update, you can temporarily workaround this issue by disabling the QUIC component. Vulnerability details CVE Identifiers: CVE-2026-26080 and CVE-2026-26081 CVSSv3.1 Score: 7.5 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Reported by: Asim Viladi Oglu Manizada Description Two separate issues were found in how HAProxy processes QUIC packets: Token length underflow (CVE-2026-26081): This affects versions 3.0 (ALOHA 16.5) and later. A remote, unauthenticated attacker can cause a process crash. This happens by sending a malformed QUIC Initial packet that causes an integer underflow during token validation. Truncated varint loop (CVE-2026-26080): This affects versions 3.2 (ALOHA 17.0) and later. An attacker can cause a denial of service. By sending a QUIC packet with a truncated varint, the frame parser enters an infinite loop until the system watchdog terminates the process. Repeated attacks can enable a lasting denial of service for your environment. Affected versions and remediation HAProxy Technologies released new versions of its products on Thursday, February 12, 2026 , to patch these vulnerabilities. CVE-2026-26081 (Token length underflow) Product Affected version(s) Fixed version HAProxy Community / Performance Packages 3.0 and later 3.0.16 3.1.14 3.2.12 3.3.3 HAProxy Enterprise 3.0 and later hapee-lb-3.0r1-1.0.0-351.929 hapee-lb-3.1r1-1.0.0-355.744 hapee-lb-3.2r1-1.0.0-365.548 HAProxy ALOHA 16.5 and later 16.5.30 17.0.18 17.5.16 CVE-2026-26080 (Truncated varint loop) Product Affected version(s) Fixed version HAProxy Community / Performance Packages 3.2 and later 3.2.12 3.3.3 HAProxy Enterprise 3.2 and later hapee-lb-3.2r1-1.0.0-365.548 HAProxy ALOHA 17.0 and later 17.0.18 17.5.16 Test if you’re affected Users of affected products can determine if the QUIC component is enabled on their HAProxy installation and whether they are affected: For a single installation (test a single config file): grep -iE "quic" /path/to/haproxy/config && echo "WARNING: QUIC may be enabled" || echo "QUIC not enabled" For multiple installations (test each config file in folder): grep -irE "quic" /path/to/haproxy/folder && echo "WARNING: QUIC may be enabled" || echo "QUIC not enabled" A response containing “ QUIC may be enabled ” indicates your HAProxy installation is potentially affected and you need to manually review and disable any QUIC listeners. The fastest method is by using the global keyword tune.quic.listen off (for version 3.3) or no-quic (3.2 and below). Update instructions Users of affected products should update immediately by pulling the latest image or package for their release track. HAProxy Enterprise users can find update instructions in the customer portal . HAProxy ALOHA users should follow the standard firmware update procedure in your documentation . HAProxy Community users should compile from the latest source or update via their distribution's package manager or available images. Note Cloud images will be available shortly, depending on approval of your respective marketplace or repository. Support If you are an HAProxy customer and have questions about this advisory or the update process, please contact our support team via the Customer Portal . Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts. Subscribe to our blog Blog Share February 2026 — CVE-2026-26080 and CVE-2026-26081: QUIC denial of service Vulnerability details Affected versions and remediation Support Tags: ALOHA , HAProxy Enterprise , HAProxy , QUIC Authors HT HAProxy Technologies Related Posts October 3rd, 2025 October 2025 – CVE-2025-11230: denial of service vulnerability in HAProxy mjson library The latest versions of HAProxy Community and Enterprise have patches for a critical denial of service vulnerability in the mjson library. November 21st, 2024 KubeCon NA 2024: service discovery, security, and AI — oh my! Though KubeCon North America 2024 has officially come to a close, the CNCF's flagship event has left us buzzing with residual excitement. Here's what we've learned throughout those four days. October 10th, 2023 HAProxy is not affected by the HTTP/2 Rapid Reset Attack (CVE-2023-44487) CVE-2023-44487 found in the HTTP/2 protocol could allow a DoS attack against web servers, reverse proxies, or other software. HAProxy products are unaffected, but we're monitoring the situation. April 23rd, 2024 HAProxy is R