{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26311", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.806Z", "datePublished": "2026-03-10T19:14:41.645Z", "dateUpdated": "2026-03-10T19:34:36.118Z"}, "containers": {"cna": {"title": "Envoy HTTP: filter chain execution on reset streams causing UAF crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.37.0, < 1.37.1", "status": "affected"}, {"version": ">= 1.36.0, < 1.36.5", "status": "affected"}, {"version": ">= 1.35.0, < 1.35.9", "status": "affected"}, {"version": "< 1.34.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:14:41.645Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "source": {"advisory": "GHSA-84xm-r438-86px", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:29:44.698912Z", "id": "CVE-2026-26311", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:34:36.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26311", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:29:44.698912Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:32:27.454Z"}}], "cna": {"title": "Envoy HTTP: filter chain execution on reset streams causing UAF crash", "source": {"advisory": "GHSA-84xm-r438-86px", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.37.0, < 1.37.1"}, {"status": "affected", "version": ">= 1.36.0, < 1.36.5"}, {"status": "affected", "version": ">= 1.35.0, < 1.35.9"}, {"status": "affected", "version": "< 1.34.13"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:14:41.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26311", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:34:36.118Z", "dateReserved": "2026-02-13T16:27:51.806Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:14:41.645Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4169052-E37B-4577-8689-4DA8D6AFF3F3", "versionEndExcluding": "1.34.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "35DB0A9F-BCEA-48D7-97DE-A63FA24B2032", "versionEndExcluding": "1.35.8", "versionStartIncluding": "1.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B37DDD3B-8F92-4F76-B3B1-F3743CB41339", "versionEndExcluding": "1.36.5", "versionStartIncluding": "1.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5266F62-E0D2-4525-90B6-65921EE14F79", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}, {"lang": "es", "value": "Envoy es un proxy de borde/intermedio/servicio de alto rendimiento. Antes de 1.37.1, 1.36.5, 1.35.8 y 1.34.13, una vulnerabilidad l\u00f3gica en el gestor de conexiones HTTP de Envoy (FilterManager) permite la Ejecuci\u00f3n de Filtro de Flujo Zombie. Este problema crea una ventana de 'Uso despu\u00e9s de liberaci\u00f3n' (UAF) o de corrupci\u00f3n de estado donde las devoluciones de llamada de filtro se invocan en un flujo HTTP que ya ha sido l\u00f3gicamente restablecido y limpiado. La vulnerabilidad reside en source/common/http/filter_manager.cc dentro del m\u00e9todo FilterManager::decodeData. El objeto ActiveStream permanece v\u00e1lido en memoria durante la ventana de eliminaci\u00f3n diferida. Si un frame DATA llega en este flujo inmediatamente despu\u00e9s del restablecimiento (por ejemplo, en el mismo ciclo de procesamiento de paquetes), el c\u00f3dec HTTP/2 invoca ActiveStream::decodeData, lo que se propaga a FilterManager::decodeData. FilterManager::decodeData no verifica el flag saw_downstream_reset_. Itera sobre la lista decoder_filters_ e invoca decodeData() en filtros que ya han recibido onDestroy(). Esta vulnerabilidad se corrige en 1.37.1, 1.36.5, 1.35.8 y 1.34.13."}], "id": "CVE-2026-26311", "lastModified": "2026-03-11T16:03:58.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T20:16:36.183", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.37.0,1.37.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.36.0,1.36.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.35.0,1.35.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.34.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "envoy", "source": "cna", "vendor": "envoyproxy"}, "product": "envoy", "vendor": "envoyproxy"}], "analysis": {"en": {"generated_at": "2026-04-16T09:32:43.116818+00:00", "value": {"mitigation_remediation": ["Upgrade Envoy to any of the patched releases: 1.37.1, 1.36.5, 1.35.8, or 1.34.13 or later.", "If an immediate upgrade is not feasible, isolate the Envoy deployment from untrusted clients by enforcing strict TLS, network segmentation, and rate limiting to reduce the likelihood of a malicious DATA frame arriving immediately after a reset.", "Enable health checks or a watchdog that restarts Envoy on crash, and monitor logs for abnormal termination events to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Denial of Service via crash"}, "threat_synthesis": {"affected_systems": "The affected product is Envoy by envoyproxy. Versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13 contain the flaw. Systems running any of these releases are vulnerable until they are upgraded. This applies to all commonly used builds of Envoy, either as a standalone proxy or embedded in service meshes.", "description_and_impact": "The vulnerability is a logic flaw in Envoy's HTTP connection manager that allows a zombie stream filter to be executed after the stream has been reset and cleaned up, resulting in a use\u2011after\u2011free that can crash the Envoy process. The flaw arises when a DATA frame is received immediately after the reset and the Connection Manager does not guard against calling decodeData on filters that have already been destroyed. This can lead to application crashes and service disruption.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a medium impact, and the EPSS score of less than 1% suggests an extremely low probability of exploitation at the current time. Based on the description, it is inferred that the likely attack vector is network\u2011based, requiring an attacker to inject HTTP/2 traffic to trigger the issue. The vulnerability is not listed in CISA's KEV catalogue, indicating no publicly known exploitation yet."}}}}, "created": "2026-03-11T11:43:23.878796+00:00", "updated": "2026-04-16T09:45:31.667297+00:00", "vendors": ["envoyproxy", "envoyproxy$PRODUCT$envoy"]}