{"id":"CVE-2026-26311","summary":"Envoy HTTP: filter chain execution on reset streams causing UAF crash","details":"Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.","aliases":["BIT-envoy-2026-26311","GHSA-84xm-r438-86px"],"modified":"2026-03-14T08:46:22.984712Z","published":"2026-03-10T19:14:41.645Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-416"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json"},{"type":"ADVISORY","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26311"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"6d9bb7d9a85d616b220d1f8fe67b61f82bbdb8d3"},{"fixed":"5ef4e4cea57f63e7e2970b9c1ad696278db927d6"}],"database_specific":{"versions":[{"introduced":"1.37.0"},{"fixed":"1.37.1"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"63ee0dc79dce88117c6bd2df5a742f8eb67ea980"},{"fixed":"41749943780b54b70b510b1b1a4805ae529e174a"}],"database_specific":{"versions":[{"introduced":"1.36.0"},{"fixed":"1.36.5"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"84305a6cb64bd55aaf606bdd53de7cd6080427a1"},{"fixed":"75e220883447543d35571aecae826d7b1a2646b9"}],"database_specific":{"versions":[{"introduced":"1.35.0"},{"fixed":"1.35.9"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"0"},{"fixed":"7c0fda3dc457de6ee4585e8129e3f5728d65f367"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.34.13"}]}}],"versions":["v1.0.0","v1.1.0","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.26.0","v1.27.0","v1.28.0","v1.29.0","v1.3.0","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.34.0","v1.34.1","v1.34.10","v1.34.11","v1.34.12","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.34.6","v1.34.7","v1.34.8","v1.34.9","v1.35.0","v1.35.1","v1.35.2","v1.35.3","v1.35.4","v1.35.5","v1.35.6","v1.35.7","v1.35.8","v1.36.0","v1.36.1","v1.36.2","v1.36.3","v1.36.4","v1.37.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26311.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}