CVE-2026-26309: 
Envoy Analisi e mitigazione delle vulnerabilità

CVE-2026-26309 is an off-by-one write vulnerability in Envoy::JsonEscaper::escapeString() that can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads. It affects Envoy proxy versions prior to 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the advisory), and 1.34.13. The vulnerability was published on March 10, 2026, with patches released the same day. It carries a CVSS v3.1 base score of 5.3 (Medium) (Github Advisory, Envoy Advisory).

The root cause is an off-by-one error (CWE-193) in the control-character escaping path of source/common/common/json_escape_string.h. When processing control characters (0x00–0x1f), the function pre-allocates the result string to the exact final length, then uses sprintf(&result[position + 1], "u%04x", ...) to write a 6-character JSON escape sequence (\u00XX) plus a trailing NUL byte. After advancing position += 6, the code writes result[position] = '\'; however, if the control character is the last character in the input, position equals result.size(), making this write one byte past the end of the allocated buffer. This violates the std::string contract that c_str()[size()] == '\0', and the corrupted null terminator can trigger undefined behavior when the string is subsequently passed to C APIs such as strlen or printf("%s"). The vulnerable code path is reachable from request-driven processing, including invalid HTTP header key reporting in source/common/http/header_utility.cc:538–546. A public proof-of-concept reproducer (compilable C++ code) is available in the security advisory (Envoy Advisory).

The primary impact is availability: an unauthenticated remote attacker can send a crafted request containing a control character (0x00–0x1f) at the end of a value processed by the JSON escaper, triggering undefined behavior that may crash the Envoy proxy process. There is no direct confidentiality or integrity impact per the CVSS scoring, though the undefined behavior could theoretically enable out-of-bounds reads in certain runtime conditions. As Envoy is commonly deployed as a critical edge or service mesh proxy, a crash could disrupt traffic routing across dependent microservices (Github Advisory, Envoy Advisory).

Upgrade Envoy to one of the patched versions: 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the GitHub Advisory Database), or 1.34.13, depending on the current version branch. If immediate patching is not feasible, restrict network exposure by limiting access to trusted sources and implementing network-level controls (e.g., WAF rules or ingress filtering) to block requests containing control characters in header fields. Prioritize patching for Envoy instances exposed to untrusted network traffic (Github Advisory, Envoy Advisory).

The Istio project released version 1.28.5 in response to this and related vulnerabilities, as Istio bundles Envoy as its data plane proxy (Istio Release). Amazon Web Services issued a security advisory (ALAS2ECS-2026-100) for Amazon Linux 2 ECS environments affected by this CVE. Tenable published a Nessus detection plugin (ID 304594) and Qualys added detection (IDs 362097, 362063), indicating broad scanner coverage. No significant public researcher commentary or social media discussion beyond standard vulnerability tracking has been observed.