CVE-2026-26309

MEDIUM

Envoy <1.37.1 - Memory Corruption

Title source: llm

Description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References (1)

[Vendor Advisory] https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943

Scores

CVSS v3 5.3

EPSS 0.0000

EPSS Percentile 0.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-193

Status published

Products (2)

envoyproxy/envoy 1.37.0

envoyproxy/envoy < 1.34.13

Published Mar 10, 2026

Tracked Since Mar 11, 2026