envoyproxy envoy up to 1.34.12/1.35.8/1.36.4/1.37.0 Filter decodeData use after free

Summaryinfo

A vulnerability labeled as critical has been found in envoyproxy envoy up to 1.34.12/1.35.8/1.36.4/1.37.0. Affected by this issue is the function FilterManager::decodeData of the component Filter Handler. Executing a manipulation can lead to use after free. The identification of this vulnerability is CVE-2026-26311. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic was found in envoyproxy envoy up to 1.34.12/1.35.8/1.36.4/1.37.0. This vulnerability affects the function FilterManager::decodeData of the component Filter Handler. The manipulation with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect availability. CVE summarizes:

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-26311 since 02/13/2026. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available.

Upgrading to version 1.34.13, 1.35.9, 1.36.5 or 1.37.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2026-0704). Once again VulDB remains the best source for vulnerability data.

Affected

• Google Cloud Platform

Productinfo

Type

• Firewall Software

Vendor

• envoyproxy

Name

• envoy

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.14
• 1.15
• 1.16
• 1.17
• 1.18
• 1.19
• 1.20
• 1.21
• 1.22
• 1.23
• 1.24
• 1.25
• 1.26
• 1.27
• 1.28
• 1.29
• 1.30
• 1.31
• 1.32
• 1.33
• 1.34
• 1.34.0
• 1.34.1
• 1.34.2
• 1.34.3
• 1.34.4
• 1.34.5
• 1.34.6
• 1.34.7
• 1.34.8
• 1.34.9
• 1.34.10
• 1.34.11
• 1.34.12
• 1.35
• 1.35.0
• 1.35.1
• 1.35.2
• 1.35.3
• 1.35.4
• 1.35.5
• 1.35.6
• 1.35.7
• 1.35.8
• 1.36
• 1.36.0
• 1.36.1
• 1.36.2
• 1.36.3
• 1.36.4
• 1.37.0

License

• free

Website

• Product: https://github.com/envoyproxy/envoy/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion