cbcvebase.
CVE-2026-26310
published 2026-03-10

CVE-2026-26310: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6…

PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.39%
30.7th percentile
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Affected

10 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.34.131.34.13
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.35.0 < 1.35.81.35.8
envoyproxyenvoy>= 1.36.0 < 1.36.51.36.5
github.comenvoyproxy_envoy0 – 1.34.12
github.comenvoyproxy_envoy1.35.0 – 1.35.8
github.comenvoyproxy_envoy1.36.0 – 1.36.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.