CVE-2026-26311 in envoyinformação

Sumário

de MITRE • 10/03/2026

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

13/02/2026

Divulgação

10/03/2026

Moderação

aceite

Entrada

VDB-350164

CPE

pronto

EPSS

0.00019

KEV

não

Atividades

muito baixo

Sector

Transportation, Homeoffice, ...

Fontes

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-26311
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-26311
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-26311/

VoltarVisão GeralPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!