Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Crash or Out-of-Bounds Read
Action: Apply Patch
AI Analysis

Impact

An off-by-one write occurs in Envoy's JsonEscaper::escapeString(), which corrupts the null-termination of std::string objects. This vulnerability can lead to undefined behavior, such as program crashes or out-of-bounds reads when the string is later used as a C-string. The weakness is a typical C string handling flaw identified as CWE-193.

Affected Systems

The affected product is Envoy Proxy from the envoyproxy organization. Versions before 1.37.1, 1.36.5, 1.35.8, and 1.34.13 are vulnerable, including the 1.37.0 release as noted in the CPE data.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% shows that the probability of exploitation is considered low at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered during JSON string escaping, it can be triggered remotely via crafted requests that contain malicious JSON content, although no known publicly available exploits have been reported.

Generated by OpenCVE AI on April 16, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to a fixed version—1.37.1, 1.36.5, 1.35.8, or 1.34.13—depending on the deployed release.
  • Configure Envoy’s JSON validation settings to reject malformed or overly large JSON payloads, reducing the chance of triggering the off‑by‑one write during string escaping.
  • Set up monitoring and alerting on Envoy crash logs or abnormal memory accesses to detect unexpected execution of the vulnerable code.

Generated by OpenCVE AI on April 16, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-56cj-wgg3-x943 Envoy affected by off-by-one write in JsonEscaper::escapeString()
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Title Envoy has an off-by-one write in JsonEscaper::escapeString()
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:40.483Z

Reserved: 2026-02-13T16:27:51.805Z

Link: CVE-2026-26309

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:56.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:35.880

Modified: 2026-03-11T16:14:20.730

Link: CVE-2026-26309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses