CVE-2026-26330: 
Envoy 脆弱性の分析と軽減

CVE-2026-26330 is a Use After Free (CWE-416) vulnerability in Envoy Proxy's global rate limit filter that can cause a crash (denial of service) when the response phase limit is enabled and the response phase request fails directly. It affects Envoy versions prior to 1.34.13, 1.35.x prior to 1.35.8, 1.36.x prior to 1.36.5, and version 1.37.0. The vulnerability was published on March 10, 2026, with fixes released the same day. It carries a CVSS v3.1 base score of 7.5 (High) per NVD, or 5.3 (Moderate) per the GitHub Advisory (Github Advisory, Envoy Advisory).

The root cause is a use-after-free condition (CWE-416) in Envoy's rate limit filter. When both request phase and response phase rate limits are enabled, the safe gRPC client instance is reused for both phases. After the request phase completes, the inner state of the gRPC client is not properly cleaned up; when a second limit request is sent during the response phase and that request fails directly (e.g., no healthy endpoints available for the rate limit service), Envoy accesses the stale inner state of the previous request, resulting in a crash. The vulnerability requires the apply_on_stream_done option to be enabled in the rate limit configuration alongside a standard request phase limit, and is only triggered when the rate limit service request fails immediately rather than timing out (Github Advisory, Envoy Advisory).

Successful exploitation results in a denial of service (DoS) condition — specifically, a crash of the Envoy proxy process — with high availability impact. There is no confidentiality or integrity impact; data is not exposed or modified. Because Envoy is commonly deployed as an edge proxy, service mesh sidecar, or API gateway, a crash could disrupt traffic routing for all services behind the affected instance (Github Advisory, Envoy Advisory).

Envoy has released patched versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13, which resolve this vulnerability. Organizations unable to upgrade immediately can apply the following configuration workaround: split any rate limit filter that contains both normal rate limit configuration (request phase, without apply_on_stream_done) and response phase configuration (apply_on_stream_done) into two separate rate limit filters — one containing only the request phase configuration and one containing only the response phase configuration. Additionally, ensuring proper health checking of the rate limit service endpoint reduces the likelihood of triggering the failure condition (Github Advisory, Envoy Advisory).

The vulnerability was credited to Mandar Jog and coordinated by Envoy maintainers including phlax, yanavlasov, botengyao, and agrawroh. Istio released a related update (1.28.5) referencing this CVE, indicating downstream impact on service mesh deployments. Amazon Linux also issued a security advisory (ALAS2ECS-2026-100) for affected ECS environments. Community reaction has been limited given the moderate severity and difficult exploitation conditions (Github Advisory).