cbcvebase.
CVE-2026-26309
published 2026-03-10

CVE-2026-26309: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString()…

PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.36%
28.4th percentile
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Affected

10 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.34.131.34.13
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.35.0 < 1.35.81.35.8
envoyproxyenvoy>= 1.36.0 < 1.36.51.36.5
github.comenvoyproxy_envoy0 – 1.34.12
github.comenvoyproxy_envoy1.35.0 – 1.35.8
github.comenvoyproxy_envoy1.36.0 – 1.36.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.