Envoy is a widely used high-performance edge and service proxy that handles HTTP/2 traffic among other protocols. CVE-2026-26311 is a Use-After-Free (UAF) vulnerability classified under CWE-416, discovered in Envoy's HTTP connection manager component, specifically within the FilterManager::decodeData method. The vulnerability stems from a logic flaw where the ActiveStream object remains in memory during a deferred deletion window after a stream reset. If a DATA frame arrives immediately after the reset, the HTTP/2 codec calls ActiveStream::decodeData, which cascades to FilterManager::decodeData. However, FilterManager::decodeData fails to check the saw_downstream_reset_ flag before iterating over decoder filters and invoking decodeData on filters that have already been destroyed (onDestroy called). This results in callbacks executing on freed memory, causing use-after-free conditions or state corruption. The affected Envoy versions include all releases before 1.37.1, 1.36.5, 1.35.8, and 1.34.13. The vulnerability can lead to crashes or destabilization of the proxy, potentially causing denial of service. Exploitation requires no authentication or user interaction but does require network access to send crafted HTTP/2 frames. No public exploits have been reported yet. The issue was fixed by adding proper checks to prevent filter callbacks on reset streams. The CVSS v3.1 score is 5.9 (medium severity) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, high attack complexity, no privileges or user interaction needed, unchanged scope, no confidentiality or integrity impact, but high availability impact.

The primary impact of CVE-2026-26311 is denial of service (DoS) due to crashes or unstable behavior of the Envoy proxy when processing specially crafted HTTP/2 traffic. This can disrupt service availability for applications relying on Envoy as an edge or service proxy, potentially affecting load balancing, API gateway functions, and service mesh communications. Since Envoy is widely deployed in cloud-native environments, microservices architectures, and large-scale infrastructures, affected organizations may experience outages or degraded performance. Although there is no direct confidentiality or integrity compromise, the DoS impact can indirectly affect business operations, customer experience, and service-level agreements. The attack complexity is high, requiring precise timing of HTTP/2 frames, which may limit exploitation but does not eliminate the risk. No known exploits in the wild reduce immediate threat, but the vulnerability remains a risk until patched. Organizations running vulnerable Envoy versions in production environments are at risk of service disruption.

Organizations should upgrade Envoy to the fixed versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 as soon as possible to eliminate the vulnerability. In environments where immediate upgrade is not feasible, consider deploying network-level protections such as HTTP/2 frame inspection and rate limiting to detect and block suspicious or malformed DATA frames arriving immediately after stream resets. Implement robust monitoring and alerting on Envoy proxy logs and metrics to detect abnormal crashes or restarts that may indicate exploitation attempts. Use canary or staged deployments to validate the stability of the patched versions before full rollout. Additionally, review and harden HTTP/2 traffic handling policies and consider isolating critical Envoy instances behind additional layers of defense to reduce exposure. Regularly audit and update all proxy and service mesh components to maintain security posture.