{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26309", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.805Z", "datePublished": "2026-03-10T19:04:21.384Z", "dateUpdated": "2026-03-10T20:12:40.483Z"}, "containers": {"cna": {"title": "Envoy has an off-by-one write in JsonEscaper::escapeString()", "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "lang": "en", "description": "CWE-193: Off-by-one Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.37.0, < 1.37.1", "status": "affected"}, {"version": ">= 1.36.0, < 1.36.5", "status": "affected"}, {"version": ">= 1.35.0, < 1.35.9", "status": "affected"}, {"version": "< 1.34.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:04:21.384Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "source": {"advisory": "GHSA-56cj-wgg3-x943", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:10:43.653623Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:12:40.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:10:43.653623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:11:56.525Z"}}], "cna": {"title": "Envoy has an off-by-one write in JsonEscaper::escapeString()", "source": {"advisory": "GHSA-56cj-wgg3-x943", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.37.0, < 1.37.1"}, {"status": "affected", "version": ">= 1.36.0, < 1.36.5"}, {"status": "affected", "version": ">= 1.35.0, < 1.35.9"}, {"status": "affected", "version": "< 1.34.13"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193: Off-by-one Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:04:21.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26309", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:12:40.483Z", "dateReserved": "2026-02-13T16:27:51.805Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:04:21.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4169052-E37B-4577-8689-4DA8D6AFF3F3", "versionEndExcluding": "1.34.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "35DB0A9F-BCEA-48D7-97DE-A63FA24B2032", "versionEndExcluding": "1.35.8", "versionStartIncluding": "1.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B37DDD3B-8F92-4F76-B3B1-F3743CB41339", "versionEndExcluding": "1.36.5", "versionStartIncluding": "1.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5266F62-E0D2-4525-90B6-65921EE14F79", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}, {"lang": "es", "value": "Envoy es un proxy de borde/intermedio/servicio de alto rendimiento. Antes de 1.37.1, 1.36.5, 1.35.8 y 1.34.13, una escritura por un byte en Envoy::JsonEscaper::escapeString() puede corromper la terminaci\u00f3n nula de std::string, causando comportamiento indefinido y potencialmente llevando a fallos o lecturas fuera de l\u00edmites cuando la cadena resultante es tratada posteriormente como una cadena C. Esta vulnerabilidad est\u00e1 corregida en 1.37.1, 1.36.5, 1.35.8 y 1.34.13."}], "id": "CVE-2026-26309", "lastModified": "2026-03-11T16:14:20.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T20:16:35.880", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.37.0,1.37.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.36.0,1.36.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.35.0,1.35.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.34.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "envoy", "source": "cna", "vendor": "envoyproxy"}, "product": "envoy", "vendor": "envoyproxy"}], "analysis": {"en": {"generated_at": "2026-04-16T09:33:11.971577+00:00", "value": {"mitigation_remediation": ["Upgrade Envoy to a fixed version\u20141.37.1, 1.36.5, 1.35.8, or 1.34.13\u2014depending on the deployed release.", "Configure Envoy\u2019s JSON validation settings to reject malformed or overly large JSON payloads, reducing the chance of triggering the off\u2011by\u2011one write during string escaping.", "Set up monitoring and alerting on Envoy crash logs or abnormal memory accesses to detect unexpected execution of the vulnerable code."], "summary": {"action": "Apply Patch", "impact": "Potential Crash or Out-of-Bounds Read"}, "threat_synthesis": {"affected_systems": "The affected product is Envoy Proxy from the envoyproxy organization. Versions before 1.37.1, 1.36.5, 1.35.8, and 1.34.13 are vulnerable, including the 1.37.0 release as noted in the CPE data.", "description_and_impact": "An off-by-one write occurs in Envoy's JsonEscaper::escapeString(), which corrupts the null-termination of std::string objects. This vulnerability can lead to undefined behavior, such as program crashes or out-of-bounds reads when the string is later used as a C-string. The weakness is a typical C string handling flaw identified as CWE-193.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% shows that the probability of exploitation is considered low at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered during JSON string escaping, it can be triggered remotely via crafted requests that contain malicious JSON content, although no known publicly available exploits have been reported."}}}}, "created": "2026-03-11T11:43:26.617217+00:00", "updated": "2026-04-16T09:45:31.667814+00:00", "vendors": ["envoyproxy", "envoyproxy$PRODUCT$envoy"]}