CVE-2026-26311 in envoyinfo

Zusammenfassung

von MITRE • 10.03.2026

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

13.02.2026

Veröffentlichung

10.03.2026

Moderieren

akzeptiert

Eintrag

VDB-350164

CPE

bereit

EPSS

0.00019

KEV

nein

Aktivitäten

very low

Sektor

Lawfirm, Hostingprovider, ...

Quellen

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-26311
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-26311
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-26311/

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!