Cyber Resilience

CVE-2026-26330

Medium

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0000 0.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26330 is a medium-severity Use After Free (CWE-416) vulnerability in Envoyproxy Envoy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-26330 is a vulnerability in Envoy, a high-performance edge/middle/service proxy, affecting versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. It resides in the rate limit filter, where enabling the response phase limit with apply_on_stream_done configured can lead to a crash if the response phase limit request fails directly. This stems from reusing a safe gRPC client instance for both request and response phase limit requests without cleaning up the inner state from the prior request phase, resulting in access to stale state and a crash (CWE-416).

The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility with high attack complexity and low privilege requirements. An attacker with low privileges can trigger the crash during the response phase of rate limiting, achieving a denial-of-service impact by terminating the Envoy process without affecting confidentiality or integrity.

The vulnerability is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3.

EU & UK References

Vulnerability details

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly,…

more

it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables direct exploitation of a use-after-free crash in the Envoy rate-limit filter, matching T1499.004 (Application or System Exploitation) for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30157Same product: Envoyproxy Envoy
CVE-2026-26310Same product: Envoyproxy Envoy
CVE-2026-26308Same product: Envoyproxy Envoy
CVE-2026-6759Shared CWE-416
CVE-2026-28799Shared CWE-416
CVE-2026-24684Shared CWE-416
CVE-2026-3805Shared CWE-416
CVE-2026-8336Shared CWE-416
CVE-2026-24683Shared CWE-416
CVE-2024-56772Shared CWE-416

Affected Assets

envoyproxy
envoy
1.37.0 · ≤ 1.34.13 · 1.35.0 — 1.35.8 · 1.36.0 — 1.36.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the use-after-free in the rate-limit gRPC client (fixed in 1.37.1+).

prevent

Allows disabling the vulnerable response-phase rate-limit configuration (apply_on_stream_done) that triggers reuse of uncleaned gRPC state.

prevent

Requires protection mechanisms that limit the availability impact when an Envoy process crashes due to the rate-limit flaw.

References