CVE-2026-26310: 
Envoy Analisi e mitigazione delle vulnerabilità

CVE-2026-26310 is a Denial of Service vulnerability in Envoy proxy caused by a crash when processing scoped IPv6 addresses in the Utility::getAddressWithPort function. It affects Envoy versions prior to 1.37.1, 1.36.5, 1.35.8/1.35.9, and 1.34.13, and was published on March 10, 2026. The vulnerability was assigned a CVSS v3.1 base score of 5.9 (Moderate) by GitHub/ENISA, though NVD rates it 7.5 (High) due to differing attack complexity assessments (Github Advisory, Envoy Advisory).

The root cause is improper input validation (CWE-20) in the Utility::getAddressWithPort function within Envoy's data plane. When a scoped IPv6 address (an IPv6 address containing a zone ID, e.g., fe80::1%eth0) is passed to this function, it triggers an unhandled crash. The vulnerability is reachable via two data-plane code paths: the original_src filter (if configured to use a scoped IPv6 address as the original source) and the DNS filter (if a DNS response returns a scoped IPv6 address). No authentication or special privileges are required to trigger the crash, though exploitation via the DNS path depends on the attacker's ability to influence DNS responses seen by Envoy (Envoy Advisory).

Successful exploitation causes the Envoy proxy process to crash, resulting in complete unavailability of the proxy and a full denial of service for all traffic it handles. There is no confidentiality or integrity impact — the vulnerability is purely an availability issue. Environments relying on Envoy as a service mesh sidecar or edge proxy (e.g., Istio-based deployments) may experience widespread service disruption if the proxy is crashed repeatedly (Github Advisory, Envoy Advisory).

Upgrade Envoy to patched versions: 1.37.1, 1.36.5, 1.35.8 (or 1.35.9 per the advisory), or 1.34.13. If immediate patching is not possible, implement network-level filtering to block or sanitize scoped IPv6 addresses (those containing zone IDs) before they reach Envoy, and restrict DNS resolvers to trusted sources that do not return scoped IPv6 addresses. Istio users should also apply the corresponding Istio patch release (1.28.5 references this fix) (Envoy Advisory, Github Advisory).

The Istio project released version 1.28.5 shortly after the Envoy advisory was published, referencing this fix as part of its upstream dependency update. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Istio Release).