CVE-2026-26311
Received Received - Intake
Use-After-Free in Envoy HTTP FilterManager Causes Stream Corruption

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26311
EUVD
EUVD-2026-10804
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
envoyproxy envoy to 1.34.13 (exc)
envoyproxy envoy From 1.35.0 (inc) to 1.35.8 (exc)
envoyproxy envoy From 1.36.0 (inc) to 1.36.5 (exc)
envoyproxy envoy 1.37.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Envoy's HTTP connection manager (FilterManager) and is a logic flaw that leads to Zombie Stream Filter Execution. Specifically, it is a Use-After-Free (UAF) or state-corruption issue where filter callbacks are called on an HTTP stream that has already been logically reset and cleaned up.

The problem occurs because the ActiveStream object remains valid in memory during a deferred deletion window. If a DATA frame arrives on this stream immediately after the reset, the HTTP/2 codec calls ActiveStream::decodeData, which then calls FilterManager::decodeData. However, FilterManager::decodeData does not check if the stream has been reset (via the saw_downstream_reset_ flag) and proceeds to invoke decodeData() on filters that have already been destroyed (onDestroy() called).

This vulnerability affects Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13 and has been fixed in those versions.

Impact Analysis

This vulnerability can lead to a Use-After-Free condition or state corruption within the Envoy proxy, which may cause unexpected behavior such as crashes or denial of service (DoS).

Because the vulnerability allows execution of callbacks on already cleaned-up streams, it could potentially be exploited to disrupt the normal operation of the proxy, impacting availability.

The CVSS score of 5.9 with an impact on availability (A:H) indicates a moderate severity primarily affecting service availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Envoy to one of the fixed versions: 1.37.1, 1.36.5, 1.35.8, or 1.34.13.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart