CVE-2026-26330Use After Free in Envoy

CWE-416Use After Free9 documents5 sources
Severity
7.5HIGHNVD
CNA5.3
EPSS
0.0%
top 99.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Envoyproxy EnvoyGithub.com Envoyproxy Envoy
Timeline
PublishedMar 10

Description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5envoyproxy/envoy< 1.34.13+3
NVDenvoyproxy/envoy1.35.01.35.8+3
Gogithub.com/envoyproxy_envoy1.36.01.36.4

🔴Vulnerability Details

3
OSV
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly2026-03-10
CVEList
Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly2026-03-10
GHSA
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly2026-03-10

🕵️Threat Intelligence

5
Wiz
CVE-2026-26308 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-26310 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-26311 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-26309 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-26330 Impact, Exploitability, and Mitigation Steps | Wiz