Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-26309

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 1 month ago

Envoy has an off-by-one write in JsonEscaper::escapeString()

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943 x_refsource_CONFIRM

Affected products

envoy

==>= 1.37.0, < 1.37.1
==< 1.34.13
==>= 1.36.0, < 1.36.5
==>= 1.35.0, < 1.35.9

Matching in nixpkgs

pkgs.envoy

Cloud-native edge and service proxy

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.2
- nixos-25.11-small 1.36.2
- nixpkgs-25.11-darwin 1.36.2

pkgs.envoy-bin

Cloud-native edge and service proxy

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.4
- nixos-25.11-small 1.36.4
- nixpkgs-25.11-darwin 1.36.4

pkgs.opa-envoy-plugin

A plugin to enforce OPA policies with Envoy

nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
nixos-25.11 1.10.0-envoy
- nixos-25.11-small 1.10.0-envoy
- nixpkgs-25.11-darwin 1.10.0-envoy

pkgs.python312Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python313Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1
nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python314Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1

pkgs.python312Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python313Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3
nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python314Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@lukegb Luke Granger-Brown <nix@lukegb.com>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@charlieegan3 Charlie Egan <git@charlieegan3.com>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>