CVE-2026-26311: 
Envoy Analisi e mitigazione delle vulnerabilità

CVE-2026-26311 is a Use-After-Free (UAF) vulnerability in Envoy's HTTP connection manager (FilterManager) that enables "Zombie Stream Filter Execution" — where filter callbacks are invoked on HTTP streams that have already been logically reset and cleaned up. It was originally reported to the Google OSS VRP (Issue ID: 477542544) and publicly disclosed on March 10, 2026. Affected versions include Envoy prior to 1.34.13, 1.35.0–1.35.7, 1.36.0–1.36.4, and 1.37.0; fixed versions are 1.34.13, 1.35.8, 1.36.5, and 1.37.1. The CVSS v3.1 base score is 5.9 (Medium) (GitHub Advisory, Envoy Advisory).

The root cause (CWE-416: Use After Free) resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. When an HTTP/2 stream is reset (e.g., via StreamIdleTimeout, OverloadManager limits, or a filter-triggered local reset), onResetStream sets state_.saw_downstream_reset_ = true, calls onDestroy() on all filters (freeing their internal resources), and schedules the ActiveStream object for deferred deletion. However, because the ActiveStream object remains valid in memory during the deferred deletion window, a DATA frame arriving on the same stream in the same packet processing cycle causes the HTTP/2 codec to invoke ActiveStream::decodeData, which cascades to FilterManager::decodeData — which critically fails to check the saw_downstream_reset_ flag before iterating over decoder_filters_ and calling decodeData() on already-destroyed filter objects. The fix is to add an early-exit guard: if (state_.saw_downstream_reset_) { return; } at the start of FilterManager::decodeData. A public C++ unit test PoC (zombie_stream_poc_test.cc) deterministically reproduces the issue (Envoy Advisory).

The primary impact is a Denial of Service (DoS) — an unauthenticated remote attacker can crash the Envoy proxy by sending HTTP/2 DATA frames on recently-reset streams, triggering undefined behavior in freed filter objects. In more sophisticated scenarios involving heap grooming, the UAF primitive could theoretically enable vtable hijacking or arbitrary write-what-where primitives, potentially escalating to Remote Code Execution (RCE), particularly in deployments using memory-unsafe C++ extensions or third-party filters. Additionally, the vulnerability can bypass Envoy's fail-closed security architecture, allowing malicious payloads to reach deeper into the filter chain or backend services even after a security policy explicitly terminated the stream (Envoy Advisory, GitHub Advisory).

Upgrade Envoy to one of the patched versions: 1.34.13, 1.35.8, 1.36.5, or 1.37.1. Version 1.37.0 is specifically vulnerable and should be avoided. For organizations unable to patch immediately, the advisory recommends monitoring for anomalous HTTP/2 traffic patterns and considering rate-limiting or filtering of reset stream conditions at the network edge. The fix adds an explicit saw_downstream_reset_ state check at the beginning of FilterManager::decodeData to prevent filter callback execution on logically dead streams (Envoy Advisory, GitHub Advisory).

The vulnerability was originally reported to the Google OSS VRP and subsequently coordinated directly with Envoy maintainers, reflecting standard responsible disclosure practices for open-source infrastructure projects. The Istio project released version 1.28.5 referencing this CVE, indicating downstream impact on service mesh deployments. Amazon Web Services published an advisory (ALAS2ECS-2026-100) for Amazon Linux 2 ECS environments, and Tenable added detection coverage via Nessus plugin 304587. No significant public researcher commentary or social media discussion beyond standard vulnerability tracking has been observed.