CVE-2026-26309
MEDIUMEnvoy < 1.37.1, 1.36.5, 1.35.8, 1.34.13 - Off-by-one Write in JsonEscaper
Title source: llmDescription
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943
Scores
CVSS v3
5.3
EPSS
0.0037
EPSS Percentile
28.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-193
Status
published
Products (2)
envoyproxy/envoy
1.37.0
envoyproxy/envoy
< 1.34.13
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026