Envoy Denial-of-Service Vulnerability Due to Scoped IPv6 Address Handling

Vulnerability

A denial-of-service vulnerability has been identified in Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. The issue arises when the Utility::getAddressWithPort function is called with scoped IPv6 addresses, leading to a crash. This function is utilized in the data plane by the original_src filter and the dns filter. When a scoped IPv6 address is passed to the utility, it causes Envoy to crash, disrupting service.

Impact

Exploiting this vulnerability causes Envoy to crash, leading to a denial-of-service condition. This impacts users with the original_src filter configured or those whose Envoy instances process DNS responses containing scoped IPv6 addresses.

Reproduction

The vulnerability can be reproduced in two ways: 1. Method A (Original Src Filter): Configure the original src filter in Envoy and provide a scoped IPv6 address as the original source. 2. Method B (DNS Resolution): Trigger a DNS resolution process within Envoy that involves a DNS response containing a scoped IPv6 address.

Remediation

Users can upgrade to Envoy versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to address this vulnerability.

Added: Mar 10, 2026, 8:37 PM
Updated: Mar 10, 2026, 8:37 PM

Vulnerability Rating

Custom Algorithm
spread
7.3
impact
2.5
exploitability
9.5
remediation
7.7
relevance
2.5
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.