CVE-2026-26309: 
Envoy Schwachstellenanalyse und -minderung

CVE-2026-26309 is an off-by-one write vulnerability in Envoy::JsonEscaper::escapeString() that can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads. It affects Envoy proxy versions prior to 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the advisory), and 1.34.13. The vulnerability was published on March 10, 2026, with patches released the same day. It carries a CVSS v3.1 base score of 5.3 (Medium) (Github Advisory, Envoy Advisory).

The root cause is an off-by-one error (CWE-193) in the control-character escaping path of source/common/common/json_escape_string.h. When processing control characters (0x00–0x1f), the function pre-allocates the result string to the exact final length, then uses sprintf(&result[position + 1], "u%04x", ...) to write a 6-character JSON escape sequence (\u00XX) plus a trailing NUL byte. After advancing position += 6, the code writes result[position] = '\'; however, if the control character is the last character in the input, position equals result.size(), making this write one byte past the end of the allocated buffer. This violates the std::string contract that c_str()[size()] == '\0', and the corrupted null terminator can trigger undefined behavior when the string is subsequently passed to C APIs such as strlen or printf("%s"). The vulnerable code path is reachable from request-driven processing, including invalid HTTP header key reporting in source/common/http/header_utility.cc:538–546. A public proof-of-concept reproducer (compilable C++ code) is available in the security advisory (Envoy Advisory).

The primary impact is availability: an unauthenticated remote attacker can send a crafted request containing a control character (0x00–0x1f) at the end of a value processed by the JSON escaper, triggering undefined behavior that may crash the Envoy proxy process. There is no direct confidentiality or integrity impact per the CVSS scoring, though the undefined behavior could theoretically enable out-of-bounds reads in certain runtime conditions. As Envoy is commonly deployed as a critical edge or service mesh proxy, a crash could disrupt traffic routing across dependent microservices (Github Advisory, Envoy Advisory).

1. Identify target: Locate an internet-facing or network-accessible Envoy proxy instance running a vulnerable version (prior to 1.37.1, 1.36.5, 1.35.8/1.35.9, or 1.34.13).
2. Craft malicious request: Construct an HTTP request that includes a value containing a control character (0x00–0x1f, e.g., \x01) as the final byte in a field that Envoy will JSON-escape — such as an invalid HTTP header key that triggers the error-reporting path in header_utility.cc.
3. Send the request: Transmit the crafted request to the Envoy proxy. No authentication or special privileges are required.
4. Trigger the off-by-one write: Envoy's JsonEscaper::escapeString() processes the control character at the end of the string, writes the \u00XX escape sequence via sprintf, advances position to result.size(), and then writes '\' one byte past the end of the allocated buffer.
5. Achieve denial of service: The corrupted null terminator causes undefined behavior when the resulting string is used as a C-string (e.g., passed to strlen or a logging function), potentially crashing the Envoy process and disrupting proxied traffic (Envoy Advisory).

• Network: Unusual HTTP requests with control characters (0x00–0x1f) in header names or values directed at Envoy proxy endpoints.
• Logs: Envoy access or error logs showing requests with malformed/invalid header keys followed by crash events or process restarts; error messages referencing JSON escaping or header utility processing.
• Process: Unexpected Envoy process crashes or restarts (e.g., segmentation faults, SIGABRT) correlated with specific inbound requests; AddressSanitizer reports referencing JsonEscaper::escapeString() or json_escape_string.h if running instrumented builds.
• System: Core dump files generated by the Envoy process with stack traces pointing to Envoy::JsonEscaper::escapeString() or header_utility.cc (Envoy Advisory).

Upgrade Envoy to one of the patched versions: 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the GitHub Advisory Database), or 1.34.13, depending on the current version branch. If immediate patching is not feasible, restrict network exposure by limiting access to trusted sources and implementing network-level controls (e.g., WAF rules or ingress filtering) to block requests containing control characters in header fields. Prioritize patching for Envoy instances exposed to untrusted network traffic (Github Advisory, Envoy Advisory).

The Istio project released version 1.28.5 in response to this and related vulnerabilities, as Istio bundles Envoy as its data plane proxy (Istio Release). Amazon Web Services issued a security advisory (ALAS2ECS-2026-100) for Amazon Linux 2 ECS environments affected by this CVE. Tenable published a Nessus detection plugin (ID 304594) and Qualys added detection (IDs 362097, 362063), indicating broad scanner coverage. No significant public researcher commentary or social media discussion beyond standard vulnerability tracking has been observed.