Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26330

CVE-2026-26330: Envoyproxy Envoy DOS Vulnerability

CVE-2026-26330 is a denial of service vulnerability in Envoyproxy Envoy that causes crashes when rate limit filter response phase requests fail. This article covers technical details, affected versions, and mitigations.

Published: March 13, 2026

CVE-2026-26330 Overview

CVE-2026-26330 is a Use After Free vulnerability in Envoy, the high-performance edge/middle/service proxy. The vulnerability exists in the rate limit filter when the response phase limit with apply_on_stream_done configuration is enabled. When a response phase limit request fails directly, it may cause Envoy to crash, resulting in denial of service conditions.

The root cause involves improper state management of the gRPC client instance used for rate limiting. When both request phase and response phase limits are enabled, the safe gRPC client instance is reused for both phases. However, after the request phase completes, the inner state is not properly cleaned up. If a subsequent response phase limit request fails, it may access stale state from the previous request, leading to a crash.

Critical Impact

This vulnerability allows unauthenticated remote attackers to crash Envoy proxy instances, potentially causing widespread service disruption in microservices architectures and service mesh deployments that rely on Envoy for traffic management.

Affected Products

  • Envoy versions prior to 1.37.1
  • Envoy versions prior to 1.36.5
  • Envoy versions prior to 1.35.8
  • Envoy versions prior to 1.34.13
  • Envoy version 1.37.0

Discovery Timeline

  • 2026-03-10 - CVE-2026-26330 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-26330

Vulnerability Analysis

This vulnerability is classified as CWE-416 (Use After Free), a memory corruption vulnerability that occurs when a program continues to use a pointer after it has been freed. In the context of Envoy's rate limit filter, the vulnerability manifests in the handling of gRPC client state during rate limiting operations.

The attack can be triggered remotely over the network without requiring authentication or user interaction. The vulnerability specifically affects the availability of the system, as exploitation leads to a crash condition rather than data compromise. Organizations running Envoy as part of their service mesh infrastructure (such as Istio) or as a standalone proxy are particularly at risk, as a crash could affect multiple downstream services.

Root Cause

The vulnerability stems from improper lifecycle management of the gRPC client's internal state within the rate limit filter. When the rate limit filter is configured to perform both request-phase and response-phase rate limiting, a single "safe" gRPC client instance is shared between both operations.

The issue occurs because after the request phase rate limiting completes, the internal state associated with that request is not properly cleaned up before the gRPC client is reused for the response phase. This creates a dangling reference that can be accessed if the response phase limit request fails immediately, triggering a Use After Free condition and subsequent crash.

Attack Vector

An attacker can exploit this vulnerability by sending specially crafted requests to an Envoy proxy instance that has rate limiting configured with apply_on_stream_done enabled for response phase limiting. The attack requires:

  1. The target Envoy instance must have rate limiting enabled with both request and response phase limits
  2. The apply_on_stream_done configuration option must be enabled for response phase limiting
  3. The attacker must be able to trigger a condition where the response phase rate limit request fails directly

The vulnerability can be triggered over the network without authentication, making it accessible to any attacker who can reach the Envoy proxy. The attack results in a crash of the Envoy process, causing denial of service for all traffic flowing through that proxy instance.

Detection Methods for CVE-2026-26330

Indicators of Compromise

  • Unexpected Envoy process crashes or restarts in logs
  • Core dumps or crash reports referencing the rate limit filter components
  • Increased error rates in upstream services due to proxy unavailability
  • Watchdog or health check failures for Envoy instances

Detection Strategies

  • Monitor Envoy process stability metrics for unexpected restarts or crashes
  • Implement log analysis rules to detect crash signatures related to rate limit filter operations
  • Review Envoy configurations for apply_on_stream_done usage in rate limit settings
  • Deploy network-level monitoring to identify potential denial of service attack patterns

Monitoring Recommendations

  • Set up alerting for Envoy process crash events and restart frequency thresholds
  • Monitor rate limit filter error rates and latency for anomalies
  • Implement distributed tracing to identify request patterns that may trigger the vulnerability
  • Review gRPC client connection metrics for unusual failure patterns

How to Mitigate CVE-2026-26330

Immediate Actions Required

  • Upgrade Envoy to patched versions: 1.37.1, 1.36.5, 1.35.8, or 1.34.13 depending on your current version branch
  • Audit Envoy configurations for rate limit filters using apply_on_stream_done in response phase limiting
  • Implement additional monitoring for Envoy process stability until patches can be applied
  • Consider temporarily disabling response phase rate limiting with apply_on_stream_done if immediate patching is not possible

Patch Information

Envoyproxy has released security patches addressing this vulnerability. The fix ensures proper cleanup of the gRPC client's internal state after request phase rate limiting completes, preventing the Use After Free condition.

Version BranchPatched Version
1.37.x1.37.1
1.36.x1.36.5
1.35.x1.35.8
1.34.x1.34.13

For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Disable response phase rate limiting with apply_on_stream_done configuration until patches can be applied
  • If both request and response phase rate limiting is required, consider using separate rate limit configurations that don't share gRPC client instances
  • Implement external rate limiting mechanisms as a temporary alternative
  • Deploy redundant Envoy instances behind load balancers to mitigate the impact of individual instance crashes
bash
# Example: Check current Envoy version
envoy --version

# Example: Verify rate limit configuration for vulnerable settings
grep -r "apply_on_stream_done" /etc/envoy/

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechEnvoyproxy
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.00%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-416
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-26310: Envoyproxy Envoy DOS Vulnerability
  • CVE-2024-27919: Envoyproxy Envoy DoS Vulnerability
  • CVE-2025-30157: Envoyproxy Envoy DOS Vulnerability
  • CVE-2023-35945: Envoyproxy Envoy HTTP/2 DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English