CVE-2026-26310 MEDIUM

CVE-2026-26310: Crash for scoped ip address in Envoy during DNS

Vendor Envoyproxy

Product envoy

Weakness CWE-20 · Input validation

Published March 10, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-26310

Related vulnerabilities

Identifiers

CVE CVE-2026-26310

CWE CWE-20

CVSS 5.9 / MEDIUM

Affected versions

Vendor Envoyproxy

Product envoy

Affected >= 1.37.0, < 1.37.1

Vendor Envoyproxy

Product envoy

Affected >= 1.36.0, < 1.36.5

Vendor Envoyproxy

Product envoy

Affected >= 1.35.0, < 1.35.9

Vendor Envoyproxy

Product envoy

Affected < 1.34.13

CVE-2026-26310: Crash for scoped ip address in Envoy during DNS

01Description

02Disclosure timeline

03References

04Related CVE