CVE-2026-26309 PUBLISHED

Envoy has an off-by-one write in JsonEscaper::escapeString()

Assigner: GitHub_M
Reserved: 13.02.2026 Published: 10.03.2026 Updated: 10.03.2026

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	envoyproxy
Product	envoy
Versions	Version >= 1.37.0, < 1.37.1 is affected Version >= 1.36.0, < 1.36.5 is affected Version >= 1.35.0, < 1.35.9 is affected Version < 1.34.13 is affected

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943

Problem Types

CWE-193: Off-by-one Error CWE