CVE-2026-26310 is a vulnerability classified under CWE-20 (Improper Input Validation) affecting the Envoy proxy, a widely used high-performance edge, middle, and service proxy. The flaw exists in the Utility::getAddressWithPort function, which mishandles scoped IPv6 addresses. When this function is called with such addresses, it causes the Envoy process to crash, leading to a denial of service condition. This function is invoked in the data plane by the original_src and dns filters, which are integral to Envoy's network traffic processing. The vulnerability affects multiple versions of Envoy prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, with the issue resolved in these releases. The CVSS v3.1 base score is 5.9, indicating medium severity, with an attack vector of network (remote exploitation), high attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is limited to availability (crash), with no impact on confidentiality or integrity. No public exploits or active exploitation have been reported to date. The root cause is insufficient validation of IPv6 scoped addresses, which are a specific subset of IPv6 addresses used to specify a particular network interface or zone. Improper handling of these addresses leads to a crash, which could be triggered remotely by sending crafted network traffic to an Envoy instance running an affected version.

The primary impact of this vulnerability is denial of service (DoS) through a crash of the Envoy proxy process. This can disrupt network traffic routing, load balancing, and service mesh operations relying on Envoy, potentially causing outages or degraded service availability. Since Envoy is commonly deployed in cloud-native environments, edge computing, and microservices architectures, a successful exploit could interrupt critical infrastructure components, affecting application uptime and reliability. There is no direct impact on data confidentiality or integrity, but service disruption can have cascading effects on business operations, customer experience, and compliance with service-level agreements. The high attack complexity reduces the likelihood of widespread exploitation, and no authentication or user interaction is required, meaning an unauthenticated attacker with network access to the Envoy instance could trigger the crash. Organizations relying on Envoy in multi-tenant or exposed network environments are particularly at risk of targeted DoS attacks leveraging this vulnerability.

Organizations should upgrade affected Envoy instances to the patched versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 as soon as possible to eliminate the vulnerability. In environments where immediate upgrade is not feasible, network-level mitigations can be applied to restrict or filter traffic containing scoped IPv6 addresses to Envoy instances, reducing exposure to crafted packets that trigger the crash. Monitoring Envoy logs and metrics for unexpected crashes or restarts can help detect exploitation attempts. Implementing redundancy and failover mechanisms for Envoy proxies can mitigate the impact of potential DoS conditions. Additionally, reviewing and hardening network segmentation and access controls to limit exposure of Envoy data plane components to untrusted networks will reduce the attack surface. Security teams should also keep abreast of any emerging exploit reports or proof-of-concept code to adjust defenses accordingly.