CVE-2026-26330
Published: 10 March 2026
Summary
CVE-2026-26330 is a medium-severity Use After Free (CWE-416) vulnerability in Envoyproxy Envoy. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct exploitation of a use-after-free crash in the Envoy rate-limit filter, matching T1499.004 (Application or System Exploitation) for DoS.
NVD Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly,…
more
it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Deeper analysisAI
CVE-2026-26330 is a vulnerability in Envoy, a high-performance edge/middle/service proxy, affecting versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. It resides in the rate limit filter, where enabling the response phase limit with apply_on_stream_done configured can lead to a crash if the response phase limit request fails directly. This stems from reusing a safe gRPC client instance for both request and response phase limit requests without cleaning up the inner state from the prior request phase, resulting in access to stale state and a crash (CWE-416).
The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility with high attack complexity and low privilege requirements. An attacker with low privileges can trigger the crash during the response phase of rate limiting, achieving a denial-of-service impact by terminating the Envoy process without affecting confidentiality or integrity.
The vulnerability is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3.
Details
- CWE(s)