CVE-2026-26311 Overview
CVE-2026-26311 is a Use-After-Free vulnerability in Envoy's HTTP connection manager that enables Zombie Stream Filter Execution. The flaw exists in the FilterManager component, where a logic vulnerability allows filter callbacks to be invoked on HTTP streams that have already been logically reset and cleaned up. This creates a dangerous state-corruption window that could lead to denial of service conditions in affected Envoy deployments.
Critical Impact
Attackers can exploit this Use-After-Free condition to trigger denial of service by causing Envoy to process DATA frames on streams that have already been reset, potentially crashing the proxy or corrupting internal state.
Affected Products
- Envoy versions prior to 1.37.1
- Envoy versions prior to 1.36.5
- Envoy versions prior to 1.35.8
- Envoy versions prior to 1.34.13
- Envoy version 1.37.0
Discovery Timeline
- 2026-03-10 - CVE-2026-26311 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-26311
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free). The flaw resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The core issue is a missing validation check that allows processing of data on streams that have already been marked for destruction.
When an HTTP stream is reset, the ActiveStream object is scheduled for deferred deletion but remains valid in memory during this deletion window. If a DATA frame arrives on this stream immediately after the reset—particularly within the same packet processing cycle—the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData.
The critical flaw is that FilterManager::decodeData fails to check the saw_downstream_reset_ flag before processing. As a result, it iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This creates a classic Use-After-Free scenario where filters operate on invalidated state.
Root Cause
The root cause is a missing state validation in the FilterManager::decodeData method. The code path does not verify whether the stream has been marked as reset via the saw_downstream_reset_ flag before iterating through and invoking callbacks on decoder filters. This oversight allows the filter chain to execute on a logically destroyed stream during the deferred deletion window.
Attack Vector
The attack leverages network-based access to send carefully timed HTTP/2 requests. An attacker can trigger the vulnerability by:
- Initiating an HTTP/2 stream to a vulnerable Envoy proxy
- Sending a reset frame (RST_STREAM) to trigger stream cleanup
- Immediately following with a DATA frame on the same stream within the same processing cycle
- The DATA frame arrives before the deferred deletion completes, causing filters to execute on the zombie stream
This race condition is exploitable over the network without requiring authentication or user interaction. The attack complexity is considered high due to the precise timing requirements, but successful exploitation results in denial of service through proxy crashes or state corruption.
Detection Methods for CVE-2026-26311
Indicators of Compromise
- Unexpected Envoy proxy crashes or restarts, particularly during high-traffic periods
- Log entries indicating stream processing errors or filter callback failures after stream resets
- HTTP/2 connection anomalies with rapid stream reset and data frame sequences
- Core dumps or crash reports referencing FilterManager::decodeData or ActiveStream objects
Detection Strategies
- Monitor Envoy access and error logs for stream reset followed by unexpected data processing events
- Implement network traffic analysis to detect anomalous HTTP/2 frame sequences targeting stream race conditions
- Deploy crash monitoring and automatic restart detection for Envoy instances
- Use runtime memory safety tools (such as ASan) in development environments to detect UAF conditions
Monitoring Recommendations
- Enable detailed HTTP/2 frame logging in Envoy to capture stream lifecycle events
- Set up alerting for abnormal Envoy process terminations or memory corruption signals
- Monitor HTTP/2 connection metrics for unusual patterns in stream reset rates
- Implement health checks that can detect Envoy instances in corrupted states
How to Mitigate CVE-2026-26311
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.37.1, 1.36.5, 1.35.8, or 1.34.13 immediately
- Review deployment configurations and prioritize patching internet-facing Envoy instances
- Monitor Envoy instances for signs of exploitation attempts or unexpected crashes
- Consider implementing additional network-level protections to rate-limit HTTP/2 connections during the patching window
Patch Information
Envoyproxy has released security patches addressing this vulnerability. The fix ensures proper validation of the saw_downstream_reset_ flag before processing data on streams. Organizations should upgrade to the following fixed versions based on their deployment branch:
| Branch | Fixed Version |
|---|---|
| 1.37.x | 1.37.1 |
| 1.36.x | 1.36.5 |
| 1.35.x | 1.35.8 |
| 1.34.x | 1.34.13 |
For complete details, refer to the GitHub Security Advisory GHSA-84xm-r438-86px.
Workarounds
- Deploy a Web Application Firewall (WAF) or reverse proxy in front of Envoy to filter malicious HTTP/2 frame sequences
- Consider temporarily disabling HTTP/2 support if feasible for your environment until patches can be applied
- Implement network segmentation to limit exposure of vulnerable Envoy instances
- Enable process isolation and resource limits to contain the impact of potential crashes
# Example: Check current Envoy version
envoy --version
# Example: Upgrade Envoy using container image (adjust tag to appropriate patched version)
docker pull envoyproxy/envoy:v1.37.1
docker tag envoyproxy/envoy:v1.37.1 envoyproxy/envoy:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
