Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.3

Envoy Proxy Can Crash or Read Data Incorrectly Due to String Corruption

GHSA-56cj-wgg3-x943 CVE-2026-26309 GHSA-56cj-wgg3-x943
Summary

Using a vulnerable version of Envoy Proxy can cause the program to crash or access memory incorrectly, potentially leading to data corruption or security issues. This issue affects older versions of Envoy Proxy, and updating to a patched version (1.37.1, 1.36.5, 1.35.8, or 1.34.13) will resolve the problem.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
envoyproxy envoy <= 1.34.13
envoyproxy envoy > 1.35.0 , <= 1.35.8
envoyproxy envoy > 1.36.0 , <= 1.36.5
envoyproxy envoy 1.37.0
github.com envoyproxy 1.37.0
github.com envoyproxy > 1.36.0 , <= 1.36.4
github.com envoyproxy > 1.35.0 , <= 1.35.8
github.com envoyproxy <= 1.34.12
envoyproxy github.com/envoyproxy/envoy All versions
envoyproxy github.com/envoyproxy/envoy > 1.36.0 , <= 1.36.4
envoyproxy github.com/envoyproxy/envoy > 1.35.0 , <= 1.35.8
envoyproxy github.com/envoyproxy/envoy <= 1.34.12
Original title
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-terminati...
Original description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
ghsa CVSS3.1 5.3
Vulnerability type
CWE-193
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026