Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Published: 2026-03-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via crash
Action: Patch
AI Analysis

Impact

The vulnerability is a logic flaw in Envoy's HTTP connection manager that allows a zombie stream filter to be executed after the stream has been reset and cleaned up, resulting in a use‑after‑free that can crash the Envoy process. The flaw arises when a DATA frame is received immediately after the reset and the Connection Manager does not guard against calling decodeData on filters that have already been destroyed. This can lead to application crashes and service disruption.

Affected Systems

The affected product is Envoy by envoyproxy. Versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13 contain the flaw. Systems running any of these releases are vulnerable until they are upgraded. This applies to all commonly used builds of Envoy, either as a standalone proxy or embedded in service meshes.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium impact, and the EPSS score of less than 1% suggests an extremely low probability of exploitation at the current time. Based on the description, it is inferred that the likely attack vector is network‑based, requiring an attacker to inject HTTP/2 traffic to trigger the issue. The vulnerability is not listed in CISA's KEV catalogue, indicating no publicly known exploitation yet.

Generated by OpenCVE AI on April 16, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to any of the patched releases: 1.37.1, 1.36.5, 1.35.8, or 1.34.13 or later.
  • If an immediate upgrade is not feasible, isolate the Envoy deployment from untrusted clients by enforcing strict TLS, network segmentation, and rate limiting to reduce the likelihood of a malicious DATA frame arriving immediately after a reset.
  • Enable health checks or a watchdog that restarts Envoy on crash, and monitor logs for abnormal termination events to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-84xm-r438-86px Envoy: HTTP - filter chain execution on reset streams causing UAF crash
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Title Envoy HTTP: filter chain execution on reset streams causing UAF crash
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:34:36.118Z

Reserved: 2026-02-13T16:27:51.806Z

Link: CVE-2026-26311

cve-icon Vulnrichment

Updated: 2026-03-10T19:32:27.454Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:36.183

Modified: 2026-03-11T16:03:58.183

Link: CVE-2026-26311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses