CVE-2026-26310: 
Envoy Schwachstellenanalyse und -minderung

CVE-2026-26310 is a Denial of Service vulnerability in Envoy proxy caused by a crash when processing scoped IPv6 addresses in the Utility::getAddressWithPort function. It affects Envoy versions prior to 1.37.1, 1.36.5, 1.35.8/1.35.9, and 1.34.13, and was published on March 10, 2026. The vulnerability was assigned a CVSS v3.1 base score of 5.9 (Moderate) by GitHub/ENISA, though NVD rates it 7.5 (High) due to differing attack complexity assessments (Github Advisory, Envoy Advisory).

The root cause is improper input validation (CWE-20) in the Utility::getAddressWithPort function within Envoy's data plane. When a scoped IPv6 address (an IPv6 address containing a zone ID, e.g., fe80::1%eth0) is passed to this function, it triggers an unhandled crash. The vulnerability is reachable via two data-plane code paths: the original_src filter (if configured to use a scoped IPv6 address as the original source) and the DNS filter (if a DNS response returns a scoped IPv6 address). No authentication or special privileges are required to trigger the crash, though exploitation via the DNS path depends on the attacker's ability to influence DNS responses seen by Envoy (Envoy Advisory).

Successful exploitation causes the Envoy proxy process to crash, resulting in complete unavailability of the proxy and a full denial of service for all traffic it handles. There is no confidentiality or integrity impact — the vulnerability is purely an availability issue. Environments relying on Envoy as a service mesh sidecar or edge proxy (e.g., Istio-based deployments) may experience widespread service disruption if the proxy is crashed repeatedly (Github Advisory, Envoy Advisory).

1. Reconnaissance: Identify Envoy proxy deployments running vulnerable versions (prior to 1.37.1, 1.36.5, 1.35.8, or 1.34.13) that have the original_src filter configured or perform DNS resolution for upstream services.
2. Method A — Original Src Filter: If the target Envoy instance has the original_src filter enabled, craft a request that presents a scoped IPv6 address (e.g., fe80::1%eth0) as the original source IP. This can be achieved by manipulating the source address at the network layer or via a trusted upstream that forwards the scoped address.
3. Method B — DNS Response Injection: Position the attacker to influence DNS responses seen by Envoy (e.g., via DNS spoofing, a rogue DNS server, or a compromised upstream resolver). Return a DNS response containing a scoped IPv6 address for a hostname that Envoy resolves for upstream cluster endpoints.
4. Trigger the crash: When Envoy processes the scoped IPv6 address through either code path, Utility::getAddressWithPort crashes the proxy process, causing a denial of service.
5. Sustain the DoS: Repeat the trigger to prevent Envoy from recovering if it is configured to auto-restart, maintaining service unavailability (Envoy Advisory).

• Logs: Envoy process crash logs or core dump files referencing Utility::getAddressWithPort or related address parsing functions; sudden process termination entries in system logs (e.g., journalctl showing Envoy exiting unexpectedly).
• Network: DNS responses containing scoped IPv6 addresses (zone IDs such as %eth0 or %1 appended to IPv6 addresses) destined for Envoy instances; unusual DNS traffic patterns from unexpected resolvers.
• Process: Repeated Envoy process restarts (e.g., via container orchestration restart logs in Kubernetes); absence of Envoy health check responses coinciding with scoped IPv6 address traffic.
• File System: Unexpected core dump files in the Envoy working directory following crashes (Envoy Advisory).

Upgrade Envoy to patched versions: 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the advisory), or 1.34.13. If immediate patching is not possible, implement network-level filtering to block or sanitize scoped IPv6 addresses (those containing zone IDs) before they reach Envoy, and restrict DNS resolvers to trusted sources that do not return scoped IPv6 addresses. Istio users should also apply the corresponding Istio patch release (1.28.5 references this fix) (Envoy Advisory, Github Advisory).

The Istio project released version 1.28.5 shortly after the Envoy advisory was published, referencing this fix as part of its upstream dependency update. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Istio Release).