Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Envoy Crashes When Handling Scoped IPv6 Addresses
GHSA-3cw6-2j68-868p
CVE-2026-26310
GHSA-3cw6-2j68-868p
Summary
Envoy may crash if it's configured to filter traffic from a scoped IPv6 address or if it receives a DNS response with a scoped IPv6 address. This can happen when users have the 'original src' filter enabled or when Envoy resolves addresses from DNS responses that contain scoped IPv6 addresses. To avoid crashes, update to a fixed version of Envoy or configure it to handle scoped IPv6 addresses safely.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| envoyproxy | envoy | <= 1.34.13 | – |
| envoyproxy | envoy | > 1.35.0 , <= 1.35.8 | – |
| envoyproxy | envoy | > 1.36.0 , <= 1.36.5 | – |
| envoyproxy | envoy | 1.37.0 | – |
| github.com | envoyproxy | 1.37.0 | – |
| github.com | envoyproxy | > 1.36.0 , <= 1.36.4 | – |
| github.com | envoyproxy | > 1.35.0 , <= 1.35.8 | – |
| github.com | envoyproxy | <= 1.34.12 | – |
| envoyproxy | github.com/envoyproxy/envoy | All versions | – |
| envoyproxy | github.com/envoyproxy/envoy | > 1.36.0 , <= 1.36.4 | – |
| envoyproxy | github.com/envoyproxy/envoy | > 1.35.0 , <= 1.35.8 | – |
| envoyproxy | github.com/envoyproxy/envoy | <= 1.34.12 | – |
Original title
Envoy vulnerable to crash for scoped ip address during DNS
Original description
### Summary
Calling `Utility::getAddressWithPort` with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.
### Details
The crashing function is `Utility::getAddressWithPort`. The crash occurs if a string containing a scoped IPv6 address is passed to this function.
This vulnerability affects:
1. The **original src filter**: If the filter is configured and the original source is a scoped IPv6 address, it will cause a crash.
2. **DNS response address resolution**: If a DNS response contains a scoped IPv6 address, this will also trigger the crash.
### PoC
To reproduce the vulnerability:
1. **Method A (Original Src Filter):** Configure the `original src` filter in Envoy and provide a scoped IPv6 address as the original source.
2. **Method B (DNS Resolution):** Trigger a DNS resolution process within Envoy where the DNS response contains a scoped IPv6 address.
### Impact
This is a Denial of Service (DoS) vulnerability. It impacts users who have the `original src` filter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.
Calling `Utility::getAddressWithPort` with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.
### Details
The crashing function is `Utility::getAddressWithPort`. The crash occurs if a string containing a scoped IPv6 address is passed to this function.
This vulnerability affects:
1. The **original src filter**: If the filter is configured and the original source is a scoped IPv6 address, it will cause a crash.
2. **DNS response address resolution**: If a DNS response contains a scoped IPv6 address, this will also trigger the crash.
### PoC
To reproduce the vulnerability:
1. **Method A (Original Src Filter):** Configure the `original src` filter in Envoy and provide a scoped IPv6 address as the original source.
2. **Method B (DNS Resolution):** Trigger a DNS resolution process within Envoy where the DNS response contains a scoped IPv6 address.
### Impact
This is a Denial of Service (DoS) vulnerability. It impacts users who have the `original src` filter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.
ghsa CVSS3.1
5.9
Vulnerability type
CWE-20
Improper Input Validation
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026