Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Traefik Server Can Crash from Malformed HTTP/2 Frames
GHSA-4hjq-9h5c-252j
Summary
A bug in Traefik can cause the server to crash if it receives certain types of HTTP/2 data. This can lead to a denial-of-service attack, where the server becomes unresponsive. To fix this, update to version 3.6.10 or 2.11.40 of Traefik.
What to do
- Update github.com traefik to version 2.11.40.
- Update github.com traefik to version 3.6.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | traefik | <= 2.11.39 | 2.11.40 |
| github.com | traefik | <= 3.6.9 | 3.6.10 |
Original title
Traefik: HTTP/2 frames can cause a running server to panic
Original description
## Summary
More Details:
- https://nvd.nist.gov/vuln/detail/CVE-2026-27141
- https://pkg.go.dev/golang.org/x/net/http2?tab=versions
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
- https://github.com/traefik/traefik/releases/tag/v2.11.40
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
More Details:
- https://nvd.nist.gov/vuln/detail/CVE-2026-27141
- https://pkg.go.dev/golang.org/x/net/http2?tab=versions
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
- https://github.com/traefik/traefik/releases/tag/v2.11.40
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
ghsa CVSS4.0
7.7
Vulnerability type
CWE-476
NULL Pointer Dereference
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026