CVE-2026-26330 in envoyinfo

Zusammenfassung

von MITRE • 10.03.2026

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

13.02.2026

Veröffentlichung

10.03.2026

Moderieren

akzeptiert

Eintrag

VDB-350165

CPE

bereit

CWE

CWE-416 (bestätigt)

CVSS

7.5 (NVD)

EPSS

0.00004

KEV

nein

Aktivitäten

very low

Sektor

Insurance, Telecommunication, ...

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-26330
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-26330
CVE Details	https://www.cvedetails.com/cve/CVE-2026-26330/

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!