Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Published: 2026-03-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Crash)
Action: Patch Now
AI Analysis

Impact

An input validation flaw in Envoy’s Utility::getAddressWithPort routine causes a crash when presented with a scoped IPv6 address. This flaw can terminate the data plane process, leading to service disruption. The underlying weakness is an improper input validation vulnerability, mapped to CWE‑20. The impact is a loss of availability for the affected proxy instance.

Affected Systems

The vulnerability affects Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Any deployment of these releases that employs the original_src or dns filters is susceptible. The product is listed as envoyproxy:envoy. No additional product or vendor variants are affected.

Risk and Exploitability

The CVSS v3.1 score of 5.9 indicates moderate severity. The EPSS score of < 1% suggests the probability of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. Likely, an attacker could trigger the crash by sending a specially crafted packet that forces Envoy to resolve an IP address with a scope identifier through the vulnerable filters. The attack vector is inferred to be remote, arising from data plane traffic that the proxy processes.

Generated by OpenCVE AI on April 16, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to at least 1.37.1, or to 1.36.5, 1.35.8, or 1.34.13 as appropriate for the installed release.
  • If upgrade cannot be performed immediately, consider disabling the original_src and dns filters that invoke the vulnerable routine until a patch is available.
  • Configure monitoring to alert on service restarts or crash logs that may indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3cw6-2j68-868p Envoy vulnerable to crash for scoped ip address during DNS
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Title Crash for scoped ip address in Envoy during DNS
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:40.343Z

Reserved: 2026-02-13T16:27:51.805Z

Link: CVE-2026-26310

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:54.571Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:36.030

Modified: 2026-03-11T16:09:31.830

Link: CVE-2026-26310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses