Vulnerability-Lookup

WID-SEC-W-2026-0704

Vulnerability from csaf_certbund - Published: 2026-03-11 23:00 - Updated: 2026-03-26 23:00

Summary

Google Cloud Platform Envoy Proxy, Istio und Service Mesh: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Google Cloud Platform (GCP) ist eine Sammlung von Cloud-Computing-Diensten von Google, die Infrastruktur, Datenanalyse, maschinelles Lernen und Entwicklungstools bietet. Unternehmen können dadurch Anwendungen in der Cloud zu aufbauen und skalierbar bereitzustellen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Google Cloud Platform ausnutzen, um Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX

CVE-2026-26308

CVE-2026-26309

CVE-2026-26310

CVE-2026-26311

CVE-2026-26330

CVE-2026-31837

CVE-2026-31838

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://docs.cloud.google.com/support/bulletins#g…	external
	https://docs.cloud.google.com/service-mesh/docs/s…	external
	https://access.redhat.com/errata/RHSA-2026:5952	external
	https://access.redhat.com/errata/RHSA-2026:5950	external
	https://access.redhat.com/errata/RHSA-2026:5948	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Google Cloud Platform (GCP) ist eine Sammlung von Cloud-Computing-Diensten von Google, die Infrastruktur, Datenanalyse, maschinelles Lernen und Entwicklungstools bietet. Unternehmen k\u00f6nnen dadurch Anwendungen in der Cloud zu aufbauen und skalierbar bereitzustellen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Google Cloud Platform ausnutzen, um Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0704 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0704.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0704 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0704"
      },
      {
        "category": "external",
        "summary": "Google Cloud Sicherheitsbulletin vom 2026-03-11",
        "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-013"
      },
      {
        "category": "external",
        "summary": "Google Cloud Sicherheitsbulletin vom 2026-03-11",
        "url": "https://docs.cloud.google.com/service-mesh/docs/security-bulletins#gcp-2026-013"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:5952 vom 2026-03-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:5952"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:5950 vom 2026-03-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:5950"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:5948 vom 2026-03-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:5948"
      }
    ],
    "source_lang": "en-US",
    "title": "Google Cloud Platform Envoy Proxy, Istio und Service Mesh: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-26T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-27T09:01:18.703+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0704",
      "initial_release_date": "2026-03-11T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-11T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-26T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Envoy Proxy",
                "product": {
                  "name": "Google Cloud Platform Envoy Proxy",
                  "product_id": "T051659",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:cloud_platform:envoy_proxy"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Istio",
                "product": {
                  "name": "Google Cloud Platform Istio",
                  "product_id": "T051660",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:cloud_platform:istio"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Service Mesh \u003c1.28.5-asm.9",
                "product": {
                  "name": "Google Cloud Platform Service Mesh \u003c1.28.5-asm.9",
                  "product_id": "T051662"
                }
              },
              {
                "category": "product_version",
                "name": "Service Mesh 1.28.5-asm.9",
                "product": {
                  "name": "Google Cloud Platform Service Mesh 1.28.5-asm.9",
                  "product_id": "T051662-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:cloud_platform:service_mesh__1.28.5-asm.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Service Mesh \u003c1.27.8-asm.7",
                "product": {
                  "name": "Google Cloud Platform Service Mesh \u003c1.27.8-asm.7",
                  "product_id": "T051663"
                }
              },
              {
                "category": "product_version",
                "name": "Service Mesh 1.27.8-asm.7",
                "product": {
                  "name": "Google Cloud Platform Service Mesh 1.27.8-asm.7",
                  "product_id": "T051663-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:cloud_platform:service_mesh__1.27.8-asm.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Service Mesh \u003c1.26.8-asm.3",
                "product": {
                  "name": "Google Cloud Platform Service Mesh \u003c1.26.8-asm.3",
                  "product_id": "T051664"
                }
              },
              {
                "category": "product_version",
                "name": "Service Mesh 1.26.8-asm.3",
                "product": {
                  "name": "Google Cloud Platform Service Mesh 1.26.8-asm.3",
                  "product_id": "T051664-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:cloud_platform:service_mesh__1.26.8-asm.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Cloud Platform"
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-26308",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-26308"
    },
    {
      "cve": "CVE-2026-26309",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-26309"
    },
    {
      "cve": "CVE-2026-26310",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-26310"
    },
    {
      "cve": "CVE-2026-26311",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-26311"
    },
    {
      "cve": "CVE-2026-26330",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-26330"
    },
    {
      "cve": "CVE-2026-31837",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-31837"
    },
    {
      "cve": "CVE-2026-31838",
      "product_status": {
        "known_affected": [
          "T051659",
          "67646",
          "T051664",
          "T051662",
          "T051663",
          "T051660"
        ]
      },
      "release_date": "2026-03-11T23:00:00.000+00:00",
      "title": "CVE-2026-31838"
    }
  ]
}

CVE-2026-26310 (GCVE-0-2026-26310)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:08 – Updated: 2026-03-10 20:12

Title

Crash for scoped ip address in Envoy during DNS

Summary

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

Tags

https://github.com/envoyproxy/envoy/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	envoyproxy	envoy	Affected: >= 1.37.0, < 1.37.1 Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26310",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T20:10:56.890236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T20:12:40.343Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.35.0, \u003c 1.35.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.34.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:08:22.330Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p"
        }
      ],
      "source": {
        "advisory": "GHSA-3cw6-2j68-868p",
        "discovery": "UNKNOWN"
      },
      "title": "Crash for scoped ip address in Envoy during DNS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26310",
    "datePublished": "2026-03-10T19:08:22.330Z",
    "dateReserved": "2026-02-13T16:27:51.805Z",
    "dateUpdated": "2026-03-10T20:12:40.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26309 (GCVE-0-2026-26309)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:04 – Updated: 2026-03-10 20:12

Title

Envoy has an off-by-one write in JsonEscaper::escapeString()

Summary

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-193 - Off-by-one Error

Assigner

GitHub_M

References

URL

Tags

https://github.com/envoyproxy/envoy/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	envoyproxy	envoy	Affected: >= 1.37.0, < 1.37.1 Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T20:10:43.653623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T20:12:40.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.35.0, \u003c 1.35.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.34.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-193",
              "description": "CWE-193: Off-by-one Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:04:21.384Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943"
        }
      ],
      "source": {
        "advisory": "GHSA-56cj-wgg3-x943",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy has an off-by-one write in JsonEscaper::escapeString()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26309",
    "datePublished": "2026-03-10T19:04:21.384Z",
    "dateReserved": "2026-02-13T16:27:51.805Z",
    "dateUpdated": "2026-03-10T20:12:40.483Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26308 (GCVE-0-2026-26308)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:01 – Updated: 2026-03-10 20:12

Title

Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation

Summary

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/envoyproxy/envoy/security/advi…	x_refsource_CONFIRM
	https://github.com/envoyproxy/envoy/commit/b6ba0b…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	envoyproxy	envoy	Affected: >= 1.37.0, < 1.37.1 Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26308",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T20:10:29.907912Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T20:12:40.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.35.0, \u003c 1.35.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.34.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:01:28.062Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"
        },
        {
          "name": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"
        }
      ],
      "source": {
        "advisory": "GHSA-ghc4-35x6-crw5",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26308",
    "datePublished": "2026-03-10T19:01:28.062Z",
    "dateReserved": "2026-02-13T16:27:51.804Z",
    "dateUpdated": "2026-03-10T20:12:40.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31837 (GCVE-0-2026-31837)

Vulnerability from cvelistv5 – Published: 2026-03-10 21:57 – Updated: 2026-03-11 15:58

Title

Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

Summary

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

https://github.com/istio/istio/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	istio	istio	Affected: >= 1.29.0-alpha.0, < 1.29.1 Affected: >= 1.28.0-alpha.0, < 1.28.5 Affected: < 1.27.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31837",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T15:53:25.811841Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:58:29.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "istio",
          "vendor": "istio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.29.0-alpha.0, \u003c 1.29.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.28.0-alpha.0, \u003c 1.28.5"
            },
            {
              "status": "affected",
              "version": "\u003c 1.27.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T21:57:44.387Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c"
        }
      ],
      "source": {
        "advisory": "GHSA-v75c-crr9-733c",
        "discovery": "UNKNOWN"
      },
      "title": "Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails."
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31837",
    "datePublished": "2026-03-10T21:57:44.387Z",
    "dateReserved": "2026-03-09T17:41:56.078Z",
    "dateUpdated": "2026-03-11T15:58:29.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31838 (GCVE-0-2026-31838)

Vulnerability from cvelistv5 – Published: 2026-03-10 21:58 – Updated: 2026-03-11 13:53

Title

Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.

Summary

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/istio/istio/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	istio	istio	Affected: >= 1.29.0-alpha.0, < 1.29.1 Affected: >= 1.28.0-alpha.0, < 1.28.5 Affected: < 1.27.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31838",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T13:53:19.285106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T13:53:28.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "istio",
          "vendor": "istio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.29.0-alpha.0, \u003c 1.29.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.28.0-alpha.0, \u003c 1.28.5"
            },
            {
              "status": "affected",
              "version": "\u003c 1.27.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T21:58:53.354Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww"
        }
      ],
      "source": {
        "advisory": "GHSA-974c-2wxh-g4ww",
        "discovery": "UNKNOWN"
      },
      "title": "Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access."
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31838",
    "datePublished": "2026-03-10T21:58:53.354Z",
    "dateReserved": "2026-03-09T17:41:56.078Z",
    "dateUpdated": "2026-03-11T13:53:28.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26311 (GCVE-0-2026-26311)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:14 – Updated: 2026-03-10 19:34

Title

Envoy HTTP: filter chain execution on reset streams causing UAF crash

Summary

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-416 - Use After Free

Assigner

GitHub_M

References

URL

Tags

https://github.com/envoyproxy/envoy/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	envoyproxy	envoy	Affected: >= 1.37.0, < 1.37.1 Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26311",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T19:29:44.698912Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T19:34:36.118Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.35.0, \u003c 1.35.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.34.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy\u0027s HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:14:41.645Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"
        }
      ],
      "source": {
        "advisory": "GHSA-84xm-r438-86px",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy HTTP: filter chain execution on reset streams causing UAF crash"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26311",
    "datePublished": "2026-03-10T19:14:41.645Z",
    "dateReserved": "2026-02-13T16:27:51.806Z",
    "dateUpdated": "2026-03-10T19:34:36.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26330 (GCVE-0-2026-26330)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:19 – Updated: 2026-03-10 20:17

Title

Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly

Summary

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-416 - Use After Free

Assigner

GitHub_M

References

URL

Tags

https://github.com/envoyproxy/envoy/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	envoyproxy	envoy	Affected: >= 1.37.0, < 1.37.1 Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26330",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T20:16:17.364596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T20:17:14.401Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.35.0, \u003c 1.35.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.34.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request\u0027s inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:19:52.696Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3"
        }
      ],
      "source": {
        "advisory": "GHSA-c23c-rp3m-vpg3",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26330",
    "datePublished": "2026-03-10T19:19:52.696Z",
    "dateReserved": "2026-02-13T16:27:51.810Z",
    "dateUpdated": "2026-03-10T20:17:14.401Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0704

CVE-2026-26310 (GCVE-0-2026-26310)

CVE-2026-26309 (GCVE-0-2026-26309)

CVE-2026-26308 (GCVE-0-2026-26308)

CVE-2026-31837 (GCVE-0-2026-31837)

CVE-2026-31838 (GCVE-0-2026-31838)

CVE-2026-26311 (GCVE-0-2026-26311)

CVE-2026-26330 (GCVE-0-2026-26330)

Tags

Sightings

Nomenclature