{"id":"CVE-2026-26311","summary":"Envoy HTTP: filter chain execution on reset streams causing UAF crash","details":"Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.","aliases":["BIT-envoy-2026-26311","GHSA-84xm-r438-86px"],"modified":"2026-04-17T04:03:36.568255Z","published":"2026-03-10T19:14:41.645Z","database_specific":{"cwe_ids":["CWE-416"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26311.json"},{"type":"ADVISORY","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26311"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"84305a6cb64bd55aaf606bdd53de7cd6080427a1"},{"fixed":"7c0fda3dc457de6ee4585e8129e3f5728d65f367"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-26311.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}