{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "1.37.0" }, { "fixed": "1.37.1" } ] }, "events": [ { "introduced": "6d9bb7d9a85d616b220d1f8fe67b61f82bbdb8d3" }, { "fixed": "5ef4e4cea57f63e7e2970b9c1ad696278db927d6" } ], "repo": "https://github.com/envoyproxy/envoy", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "1.36.0" }, { "fixed": "1.36.5" } ] }, "events": [ { "introduced": "63ee0dc79dce88117c6bd2df5a742f8eb67ea980" }, { "fixed": "41749943780b54b70b510b1b1a4805ae529e174a" } ], "repo": "https://github.com/envoyproxy/envoy", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "1.35.0" }, { "fixed": "1.35.9" } ] }, "events": [ { "introduced": "84305a6cb64bd55aaf606bdd53de7cd6080427a1" }, { "fixed": "75e220883447543d35571aecae826d7b1a2646b9" } ], "repo": "https://github.com/envoyproxy/envoy", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.34.13" } ] }, "events": [ { "introduced": "0" }, { "fixed": "7c0fda3dc457de6ee4585e8129e3f5728d65f367" } ], "repo": "https://github.com/envoyproxy/envoy", "type": "GIT" } ] } ], "aliases": [ "GHSA-84xm-r438-86px" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-416" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json" }, "details": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.", "id": "CVE-2026-26311", "modified": "2026-03-13T13:50:07.393892181Z", "published": "2026-03-10T19:14:41.645Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json" }, { "type": "ADVISORY", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26311" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Envoy HTTP: filter chain execution on reset streams causing UAF crash" }