CVE-2026-26330

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.34.13 Envoy versions prior to 1.35.8 Envoy versions prior to 1.36.5 Envoy versions prior to 1.37.1

Description Envoy is a high-performance edge/middle/service proxy. A crash may occur in the rate limit filter when the response phase limit with apply on stream done is enabled and the response phase limit request fails. This happens because the inner state of the request phase limit request in the gRPC client is not cleaned up after the request phase is complete, leading to a crash when a second limit request is sent during the response phase and fails. The issue involves the re-use of a safe gRPC client instance for both request and response phases.

Recommendations Update Envoy to version 1.34.13 or later. Update Envoy to version 1.35.8 or later. Update Envoy to version 1.36.5 or later. Update Envoy to version 1.37.1 or later.