CVE-2026-26310
Crash Vulnerability in Envoy IPv6 Utility Causes Denial of Service
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | to 1.34.13 (exc) |
| envoyproxy | envoy | From 1.35.0 (inc) to 1.35.8 (exc) |
| envoyproxy | envoy | From 1.36.0 (inc) to 1.36.5 (exc) |
| envoyproxy | envoy | 1.37.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Envoy, a high-performance edge/middle/service proxy. Prior to versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling the function Utility::getAddressWithPort with scoped IPv6 addresses causes the application to crash. This function is used in the data plane by the original_src filter and the dns filter.
How can this vulnerability impact me? :
The vulnerability can cause the Envoy proxy to crash when processing scoped IPv6 addresses, leading to a denial of service (DoS) condition. This can disrupt network traffic and service availability since Envoy is often used as a critical component in service mesh and edge proxy deployments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Envoy to one of the fixed versions: 1.37.1, 1.36.5, 1.35.8, or 1.34.13.