CVE-2026-26311

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy:1.37.0:::::::*

History

11 Mar 2026, 16:03

Type	Values Removed	Values Added
References	~~() https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px -~~	() https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px - Exploit, Mitigation, Vendor Advisory
First Time		Envoyproxy Envoyproxy envoy
CPE		cpe:2.3:a:envoyproxy:envoy:1.37.0:::::::* cpe:2.3:a:envoyproxy:envoy::::::::

11 Mar 2026, 13:53

Type	Values Removed	Values Added
Summary		(es) Envoy es un proxy de borde/intermedio/servicio de alto rendimiento. Antes de 1.37.1, 1.36.5, 1.35.8 y 1.34.13, una vulnerabilidad lógica en el gestor de conexiones HTTP de Envoy (FilterManager) permite la Ejecución de Filtro de Flujo Zombie. Este problema crea una ventana de 'Uso después de liberación' (UAF) o de corrupción de estado donde las devoluciones de llamada de filtro se invocan en un flujo HTTP que ya ha sido lógicamente restablecido y limpiado. La vulnerabilidad reside en source/common/http/filter_manager.cc dentro del método FilterManager::decodeData. El objeto ActiveStream permanece válido en memoria durante la ventana de eliminación diferida. Si un frame DATA llega en este flujo inmediatamente después del restablecimiento (por ejemplo, en el mismo ciclo de procesamiento de paquetes), el códec HTTP/2 invoca ActiveStream::decodeData, lo que se propaga a FilterManager::decodeData. FilterManager::decodeData no verifica el flag saw_downstream_reset_. Itera sobre la lista decoder_filters_ e invoca decodeData() en filtros que ya han recibido onDestroy(). Esta vulnerabilidad se corrige en 1.37.1, 1.36.5, 1.35.8 y 1.34.13.

10 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 20:16

Updated : 2026-03-11 16:03

NVD link : CVE-2026-26311

Mitre link : CVE-2026-26311

CVE.ORG link : CVE-2026-26311

JSON object : View

Products Affected

envoyproxy

envoy

CWE

CWE-416

Use After Free

5.9 /10