Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via crash
Action: Patch
AI Analysis

Impact

A failure in Envoy's rate limit filter, triggered when the response phase limit with apply_on_stream_done is enabled and the response phase request fails directly, can cause a crash of the Envoy process. The underlying weakness is a Use After Free error (CWE-416), which allows the application to access invalid memory after a gRPC client’s state has been improperly cleaned. The crash results in a denial-of-service condition, interrupting the availability of all services that depend on the affected Envoy instance.

Affected Systems

The vulnerability affects the Envoy proxy from the envoyproxy project. Versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13 are impacted; these releases can be identified by the corresponding CPE strings for envoyproxy:envoy.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The advisory does not list this vulnerability in the CISA KEV catalog. Exploitation would most likely require deliberate configuration of both request and response phase rate limits or an attacker who can force the response phase request to fail, making the attack vector configuration‑dependent rather than easy to trigger remotely.

Generated by OpenCVE AI on April 16, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to the patched releases (1.37.1, 1.36.5, 1.35.8, or 1.34.13 or later).
  • If an immediate upgrade is not possible, disable the response phase rate limit or remove the apply_on_stream_done setting from the configuration.
  • Avoid enabling both the request phase and response phase rate limits at the same time; if both must be used, ensure the client state is properly reset between phases.

Generated by OpenCVE AI on April 16, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c23c-rp3m-vpg3 Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
History

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Title Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:17:14.401Z

Reserved: 2026-02-13T16:27:51.810Z

Link: CVE-2026-26330

cve-icon Vulnrichment

Updated: 2026-03-10T20:16:54.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:36.360

Modified: 2026-03-11T15:57:32.803

Link: CVE-2026-26330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses