Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0587

NIXPKGS-2026-0587
published on 11 Mar 2026
Permalink CVE-2026-26310
updated 3 days, 19 hours ago by @mweinelt Activity log
  • Created automatic suggestion 4 days, 4 hours ago
  • @mweinelt removed
    11 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • tests.home-assistant-component-tests.enphase_envoy
    3 days, 19 hours ago
  • @mweinelt accepted 3 days, 19 hours ago
  • @mweinelt published on GitHub 3 days, 19 hours ago
Crash for scoped ip address in Envoy during DNS

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References

Affected products

envoy
  • ==>= 1.35.0, < 1.35.9
  • ==>= 1.36.0, < 1.36.5
  • ==>= 1.37.0, < 1.37.1
  • ==< 1.34.13

Matching in nixpkgs

Ignored packages (11)

Package maintainers

https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p