CVE-2026-26310 Overview
CVE-2026-26310 is a high-severity denial of service vulnerability in Envoy Proxy, a widely-deployed high-performance edge, middle, and service proxy. The vulnerability exists in the Utility::getAddressWithPort function, which crashes when processing scoped IPv6 addresses. This utility function is invoked in the data plane from both the original_src filter and the dns filter, making it exploitable through network traffic processing.
Critical Impact
Remote attackers can crash Envoy Proxy instances by sending specially crafted requests containing scoped IPv6 addresses, causing denial of service in production environments.
Affected Products
- Envoyproxy Envoy versions prior to 1.34.13
- Envoyproxy Envoy versions prior to 1.35.8
- Envoyproxy Envoy versions prior to 1.36.5
- Envoyproxy Envoy version 1.37.0 (fixed in 1.37.1)
Discovery Timeline
- 2026-03-10 - CVE-2026-26310 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-26310
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) when handling scoped IPv6 addresses within Envoy's address parsing utilities. Scoped IPv6 addresses include a zone identifier (zone ID) appended after a percent sign (%), such as fe80::1%eth0, which is used to specify the network interface for link-local addresses. The Utility::getAddressWithPort function fails to properly handle this format, resulting in an unhandled exception or invalid memory access that terminates the proxy process.
The vulnerability is particularly impactful because it affects the data plane—the component responsible for processing actual network traffic. Both the original_src filter (used for preserving original source IP addresses) and the dns filter (used for DNS-based service discovery) call this vulnerable utility function, providing multiple attack vectors.
Root Cause
The root cause is improper input validation in the Utility::getAddressWithPort function. When parsing IPv6 addresses that contain zone identifiers (scoped addresses), the function does not account for the additional scope string component. This leads to incorrect parsing behavior, potentially causing out-of-bounds access or triggering an unhandled exception that crashes the Envoy process.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can craft malicious requests containing scoped IPv6 addresses that are processed by either the original_src or dns filter. When these filters invoke Utility::getAddressWithPort with the malicious input, the Envoy instance crashes, disrupting service availability.
The attack flow involves:
- Identifying an Envoy deployment using the original_src or dns filter
- Sending network requests containing scoped IPv6 addresses (e.g., addresses with zone identifiers like %eth0)
- The vulnerable utility function processes the address and crashes
- Service disruption occurs for all traffic routed through the affected Envoy instance
Detection Methods for CVE-2026-26310
Indicators of Compromise
- Unexpected Envoy proxy process terminations or restarts
- Crash logs showing failures in address parsing or the Utility::getAddressWithPort function
- Core dumps indicating segmentation faults during IPv6 address processing
- Increased error rates from upstream services due to proxy unavailability
Detection Strategies
- Monitor Envoy process health and restart frequency using container orchestration platforms (Kubernetes, etc.)
- Implement log analysis rules to detect crash patterns related to IPv6 address parsing
- Deploy network intrusion detection rules to identify requests containing unusual scoped IPv6 address patterns
- Configure alerting on sudden increases in Envoy pod restarts or crash loops
Monitoring Recommendations
- Enable Envoy access logging and analyze traffic patterns for anomalous IPv6 address formats
- Set up application performance monitoring (APM) to track proxy availability metrics
- Implement distributed tracing to identify service disruptions caused by proxy crashes
- Monitor system logs for repeated SIGSEGV or SIGABRT signals from Envoy processes
How to Mitigate CVE-2026-26310
Immediate Actions Required
- Upgrade Envoy Proxy to patched versions: 1.37.1, 1.36.5, 1.35.8, or 1.34.13
- Review and audit configurations using original_src or dns filters for exposure risk
- Consider temporarily disabling the original_src and dns filters if immediate patching is not possible
- Implement network-level filtering to block or sanitize requests containing scoped IPv6 addresses
Patch Information
Envoyproxy has released security patches addressing this vulnerability across all supported release branches. The fixes are available in versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Organizations should upgrade to the appropriate patched version based on their current deployment. For detailed patch information, refer to the GitHub Security Advisory GHSA-3cw6-2j68-868p.
Workarounds
- Deploy a Web Application Firewall (WAF) or reverse proxy in front of Envoy to filter requests with scoped IPv6 addresses
- If the original_src and dns filters are not required, disable them in the Envoy configuration
- Implement rate limiting and circuit breaker patterns to minimize the impact of potential crash attacks
- Use network policies to restrict access to Envoy instances from untrusted networks
# Example: Check current Envoy version
envoy --version
# Upgrade Envoy using package manager (example for apt)
apt-get update && apt-get install envoy=1.37.1
# Verify the updated version
envoy --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
