Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Envoy Proxy May Let Attackers Keep Streams Open
GHSA-84xm-r438-86px
CVE-2026-26311
GHSA-84xm-r438-86px
Summary
A bug in the Envoy Proxy's connection manager can allow attackers to keep connections open even after they've been closed. This can lead to security issues and data loss. Update to version 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| envoyproxy | envoy | <= 1.34.13 | – |
| envoyproxy | envoy | > 1.35.0 , <= 1.35.8 | – |
| envoyproxy | envoy | > 1.36.0 , <= 1.36.5 | – |
| envoyproxy | envoy | 1.37.0 | – |
| github.com | envoyproxy | 1.37.0 | – |
| github.com | envoyproxy | > 1.36.0 , <= 1.36.4 | – |
| github.com | envoyproxy | > 1.35.0 , <= 1.35.8 | – |
| github.com | envoyproxy | <= 1.34.12 | – |
| envoyproxy | github.com/envoyproxy/envoy | All versions | – |
| envoyproxy | github.com/envoyproxy/envoy | > 1.36.0 , <= 1.36.4 | – |
| envoyproxy | github.com/envoyproxy/envoy | > 1.35.0 , <= 1.35.8 | – |
| envoyproxy | github.com/envoyproxy/envoy | <= 1.34.12 | – |
Original title
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie ...
Original description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
ghsa CVSS3.1
5.9
Vulnerability type
CWE-416
Use After Free
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026