Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-26310

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 1 month ago

Crash for scoped ip address in Envoy during DNS

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p x_refsource_CONFIRM

Affected products

envoy

==>= 1.35.0, < 1.35.9
==< 1.34.13
==>= 1.37.0, < 1.37.1
==>= 1.36.0, < 1.36.5

Matching in nixpkgs

pkgs.envoy

Cloud-native edge and service proxy

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.2
- nixos-25.11-small 1.36.2
- nixpkgs-25.11-darwin 1.36.2

pkgs.envoy-bin

Cloud-native edge and service proxy

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.4
- nixos-25.11-small 1.36.4
- nixpkgs-25.11-darwin 1.36.4

pkgs.opa-envoy-plugin

A plugin to enforce OPA policies with Envoy

nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
nixos-25.11 1.10.0-envoy
- nixos-25.11-small 1.10.0-envoy
- nixpkgs-25.11-darwin 1.10.0-envoy

pkgs.python312Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python313Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1
nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python314Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1

pkgs.python312Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python313Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3
nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python314Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@lukegb Luke Granger-Brown <nix@lukegb.com>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@charlieegan3 Charlie Egan <git@charlieegan3.com>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>