CVE-2026-26310
Published: 10 March 2026
Summary
CVE-2026-26310 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Envoyproxy Envoy. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-accessible crash via improper IPv6 input validation in public-facing Envoy proxy directly maps to exploitation of public-facing apps for DoS (T1190) and application/system exploitation causing endpoint DoS (T1499.004).
NVD Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This…
more
vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Deeper analysisAI
CVE-2026-26310 is an availability-impacting vulnerability in Envoy, a high-performance edge/middle/service proxy. In versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling the Utility::getAddressWithPort function with a scoped IPv6 address triggers a crash. This utility is invoked in the data plane by the original_src filter and the dns filter.
Network-accessible attackers with no privileges or user interaction required can exploit this issue, though it demands high attack complexity. Successful exploitation causes a denial-of-service condition via proxy crash, with no impact on confidentiality or integrity, as reflected in its CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability, linked to CWE-20 (Improper Input Validation), is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Practitioners should upgrade affected deployments promptly. Additional details are available in the Envoy security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p.
Details
- CWE(s)