cbcvebase.
CVE-2026-26311
published 2026-03-10

CVE-2026-26311: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager…

PriorityP431medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.34%
25.5th percentile
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Affected

10 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.34.131.34.13
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.35.0 < 1.35.81.35.8
envoyproxyenvoy>= 1.36.0 < 1.36.51.36.5
github.comenvoyproxy_envoy0 – 1.34.12
github.comenvoyproxy_envoy1.35.0 – 1.35.8
github.comenvoyproxy_envoy1.36.0 – 1.36.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.