CVE-2026-26330 is a use-after-free vulnerability classified under CWE-416 affecting the Envoy proxy, a widely used high-performance edge, middle, and service proxy. The vulnerability exists in the rate limit filter component when both request phase and response phase rate limits are enabled with the apply_on_stream_done setting. Specifically, when the response phase limit request fails immediately, the internal state of the gRPC client used for the request phase is not properly cleaned up before being reused for the response phase request. This improper cleanup leads to the reuse of stale internal state pointers, causing a use-after-free condition that results in a crash of the Envoy process. The affected versions include all releases before 1.37.1, 1.36.5, 1.35.8, and 1.34.13, covering multiple recent Envoy versions. The vulnerability can be triggered remotely over the network without user interaction but requires low privileges (PR:L) and has a high attack complexity (AC:H) due to the specific configuration and failure conditions needed to exploit it. The impact is limited to availability, causing denial of service by crashing the proxy, with no direct confidentiality or integrity compromise. The issue was addressed by proper cleanup of the gRPC client state between request and response phase limit requests in the fixed versions.

The primary impact of CVE-2026-26330 is denial of service (DoS) due to crashing of the Envoy proxy. Envoy is commonly deployed as a critical component in cloud-native architectures, service meshes, and edge routing, meaning that a crash can disrupt traffic flow, degrade service availability, and potentially cause cascading failures in dependent services. Organizations relying on Envoy for load balancing, API gateway functions, or service mesh proxies may experience outages or degraded performance if this vulnerability is exploited. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant, especially in high-traffic environments or where Envoy is a single point of failure. The requirement for specific rate limit configurations and failure conditions somewhat limits exploitability, but attackers able to induce these conditions could cause repeated crashes, impacting operational stability and potentially leading to service downtime or increased operational costs for recovery and mitigation.

To mitigate CVE-2026-26330, organizations should upgrade Envoy to versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 or later, where the vulnerability has been fixed. Until upgrades can be applied, administrators should review and potentially disable the response phase rate limit with apply_on_stream_done enabled, or avoid enabling both request and response phase rate limits simultaneously to reduce exposure. Monitoring Envoy logs for crashes or unusual rate limit failures can help detect attempted exploitation. Implementing redundancy and failover mechanisms for Envoy proxies can minimize service disruption if crashes occur. Network-level protections such as rate limiting and filtering can reduce the likelihood of triggering the failure conditions remotely. Additionally, security teams should audit configurations to ensure that only necessary rate limiting features are enabled and that they are tested for stability under failure scenarios. Finally, maintaining an up-to-date inventory of Envoy versions in use across environments will facilitate timely patch management.