CVE-2026-26311

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.34.13 Envoy versions 1.35.0 through 1.35.7 Envoy versions 1.36.0 through 1.36.4 Envoy versions 1.37.0

Description Envoy is a high-performance edge/middle/service proxy. A logic issue exists in Envoy’s HTTP connection manager (FilterManager) that can lead to a "Use-After-Free" (UAF) or state-corruption. This occurs when filter callbacks are invoked on an HTTP stream that has already been reset and cleaned up. The issue resides in the FilterManager::decodeData method within source/common/http/filter manager.cc. The ActiveStream object remains valid during deferred deletion. If a DATA frame arrives on this stream immediately after the reset, the HTTP/2 codec invokes ActiveStream::decodeData, which calls FilterManager::decodeData. This method fails to check the saw downstream reset flag and iterates over the decoder filters list, invoking decodeData() on filters that have already received onDestroy().

Recommendations Update to Envoy version 1.34.13 or later. Update to Envoy version 1.35.8 or later. Update to Envoy version 1.36.5 or later. Update to Envoy version 1.37.1 or later.