Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    231 vulnerabilities by envoyproxy

    CVE-2026-48090 (GCVE-0-2026-48090)

    Vulnerability from nvd – Published: 2026-06-26 18:03 – Updated: 2026-06-26 18:03
    VLAI
    Title
    Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object\u2019s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent.  This vulnerability is fixed in 1.37.5 and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:03:05.257Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f"
            }
          ],
          "source": {
            "advisory": "GHSA-3cj2-c63f-q26f",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48090",
        "datePublished": "2026-06-26T18:03:05.257Z",
        "dateReserved": "2026-05-20T18:40:45.833Z",
        "dateUpdated": "2026-06-26T18:03:05.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47220 (GCVE-0-2026-47220)

    Vulnerability from nvd – Published: 2026-06-26 18:02 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47220",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:26:27.302143Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:26:30.243Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-26T18:02:17.679Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Envoy. A remote attacker can exploit this vulnerability by sending a request with a missing host header when the `%REQUESTED_SERVER_NAME(X:Y)%` is used in the log format and host-related options, such as HOST_FIRST or SNI_FIRST, are specified. This can lead to a crash of the Envoy proxy, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-476",
                    "description": "NULL Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:01.885Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-47220"
              },
              {
                "name": "RHBZ#2493652",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493652"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47220.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-26T19:01:34.167Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-26T18:02:17.679Z",
                "value": "Made public."
              }
            ],
            "title": "envoy: Envoy: Denial of Service via missing host header in specific logging configurations",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it\u0027s possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:02:17.679Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v"
            }
          ],
          "source": {
            "advisory": "GHSA-j9wh-4qfm-wf2v",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47220",
        "datePublished": "2026-06-26T18:02:17.679Z",
        "dateReserved": "2026-05-18T22:25:21.258Z",
        "dateUpdated": "2026-06-30T12:10:01.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47205 (GCVE-0-2026-47205)

    Vulnerability from nvd – Published: 2026-06-26 18:01 – Updated: 2026-06-27 02:54
    VLAI
    Title
    Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47205",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-27T02:54:07.255044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-27T02:54:47.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy\u0027s ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -\u003e ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_-\u003ecancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:01:07.766Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j"
            }
          ],
          "source": {
            "advisory": "GHSA-mvh9-767w-x47j",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47205",
        "datePublished": "2026-06-26T18:01:07.766Z",
        "dateReserved": "2026-05-18T22:25:21.257Z",
        "dateUpdated": "2026-06-27T02:54:47.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48743 (GCVE-0-2026-48743)

    Vulnerability from nvd – Published: 2026-06-26 17:34 – Updated: 2026-06-29 15:20
    VLAI
    Title
    Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.35.0, < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48743",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T15:04:55.378026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T15:20:33.276Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.35.0, \u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request\u0027s body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:34:22.470Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf"
            }
          ],
          "source": {
            "advisory": "GHSA-8phg-2h2q-jgxf",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48743",
        "datePublished": "2026-06-26T17:34:22.470Z",
        "dateReserved": "2026-05-22T19:10:35.747Z",
        "dateUpdated": "2026-06-29T15:20:33.276Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48706 (GCVE-0-2026-48706)

    Vulnerability from nvd – Published: 2026-06-26 17:38 – Updated: 2026-06-26 19:05
    VLAI
    Title
    Envoy Heap Buffer Overflow in TcpStatsdSink
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48706",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T19:05:13.902352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T19:05:30.344Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy\u0027s TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., \u003e16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB\u2014for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true\u2014the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:38:23.581Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4"
            }
          ],
          "source": {
            "advisory": "GHSA-7q3f-gwg7-j8g4",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy Heap Buffer Overflow in TcpStatsdSink"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48706",
        "datePublished": "2026-06-26T17:38:23.581Z",
        "dateReserved": "2026-05-22T18:47:27.754Z",
        "dateUpdated": "2026-06-26T19:05:30.344Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48497 (GCVE-0-2026-48497)

    Vulnerability from nvd – Published: 2026-06-26 17:32 – Updated: 2026-06-26 18:32
    VLAI
    Title
    Envoy: Abnormal process termination in DNS UDP filter
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-480 - Use of Incorrect Operator
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48497",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:32:39.500724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:32:51.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-480",
                  "description": "CWE-480: Use of Incorrect Operator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:32:58.310Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q"
            }
          ],
          "source": {
            "advisory": "GHSA-j6g2-wf95-q66q",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Abnormal process termination in DNS UDP filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48497",
        "datePublished": "2026-06-26T17:32:58.310Z",
        "dateReserved": "2026-05-21T15:33:08.292Z",
        "dateUpdated": "2026-06-26T18:32:51.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48044 (GCVE-0-2026-48044)

    Vulnerability from nvd – Published: 2026-06-26 17:31 – Updated: 2026-06-26 18:31
    VLAI
    Title
    Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.23.0, < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48044",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:31:06.118463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:31:20.280Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.23.0, \u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a  vulnerability has been identified in Envoy\u0027s zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:31:37.602Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg"
            }
          ],
          "source": {
            "advisory": "GHSA-m3p9-47wh-88wg",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48044",
        "datePublished": "2026-06-26T17:31:37.602Z",
        "dateReserved": "2026-05-20T18:15:53.578Z",
        "dateUpdated": "2026-06-26T18:31:20.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48042 (GCVE-0-2026-48042)

    Vulnerability from nvd – Published: 2026-06-26 17:29 – Updated: 2026-06-29 13:27
    VLAI
    Title
    Envoy: Stack overflow in destructor of highly nested JSON
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48042",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:27:35.763864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:27:38.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1124",
                  "description": "CWE-1124: Excessively Deep Nesting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:29:14.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv"
            },
            {
              "name": "https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21"
            }
          ],
          "source": {
            "advisory": "GHSA-f24p-rxw2-g6pv",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Stack overflow in destructor of highly nested JSON"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48042",
        "datePublished": "2026-06-26T17:29:14.964Z",
        "dateReserved": "2026-05-20T18:15:53.578Z",
        "dateUpdated": "2026-06-29T13:27:38.828Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47778 (GCVE-0-2026-47778)

    Vulnerability from nvd – Published: 2026-06-26 17:27 – Updated: 2026-06-27 02:53
    VLAI
    Title
    Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-158 - Improper Neutralization of Null Byte or NUL Character
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47778",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-27T02:52:00.418621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-27T02:53:13.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-158",
                  "description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:27:57.707Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7"
            }
          ],
          "source": {
            "advisory": "GHSA-f8x4-rw5x-f3r7",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47778",
        "datePublished": "2026-06-26T17:27:57.707Z",
        "dateReserved": "2026-05-19T22:36:16.883Z",
        "dateUpdated": "2026-06-27T02:53:13.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47775 (GCVE-0-2026-47775)

    Vulnerability from nvd – Published: 2026-06-26 17:23 – Updated: 2026-06-29 15:20
    VLAI
    Title
    Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47775",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T15:05:22.645121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T15:20:39.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter\u0027s encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim\u0027s access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:23:51.663Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
            }
          ],
          "source": {
            "advisory": "GHSA-396h-jpq4-vc7p",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47775",
        "datePublished": "2026-06-26T17:23:51.663Z",
        "dateReserved": "2026-05-19T22:36:16.882Z",
        "dateUpdated": "2026-06-29T15:20:39.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47692 (GCVE-0-2026-47692)

    Vulnerability from nvd – Published: 2026-06-26 17:59 – Updated: 2026-06-26 19:07
    VLAI
    Title
    Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T19:07:31.350962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T19:07:49.683Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:59:38.922Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r"
            }
          ],
          "source": {
            "advisory": "GHSA-wh36-hm39-mm3r",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: PROXY Protocol v2 header generator emits \"skipped\" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47692",
        "datePublished": "2026-06-26T17:59:38.922Z",
        "dateReserved": "2026-05-19T21:18:20.403Z",
        "dateUpdated": "2026-06-26T19:07:49.683Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47221 (GCVE-0-2026-47221)

    Vulnerability from nvd – Published: 2026-06-26 17:35 – Updated: 2026-06-26 18:33
    VLAI
    Title
    Envoy: Null pointer deref in internal redirects
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.18.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47221",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:33:10.549936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:33:34.507Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.18.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:35:29.518Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr"
            }
          ],
          "source": {
            "advisory": "GHSA-rcff-gw58-pjpr",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Null pointer deref in internal redirects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47221",
        "datePublished": "2026-06-26T17:35:29.518Z",
        "dateReserved": "2026-05-18T22:25:21.258Z",
        "dateUpdated": "2026-06-26T18:33:34.507Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47207 (GCVE-0-2026-47207)

    Vulnerability from nvd – Published: 2026-06-26 17:52 – Updated: 2026-06-26 18:30
    VLAI
    Title
    Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, Envoy crashes if an ext_proc server sends a single gRPC message containing multiple, specially crafted ProcessingResponse messages. This can occur when the first response in the batch causes the gRPC stream object to be destroyed, leading to a use-after-free error when Envoy attempts to process subsequent responses in the same gRPC message. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47207",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:29:52.628465Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:30:08.843Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, Envoy crashes if an ext_proc server sends a single gRPC message containing multiple, specially crafted ProcessingResponse messages. This can occur when the first response in the batch causes the gRPC stream object to be destroyed, leading to a use-after-free error when Envoy attempts to process subsequent responses in the same gRPC message. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:53:09.174Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv"
            }
          ],
          "source": {
            "advisory": "GHSA-68cv-hq5f-g6xv",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47207",
        "datePublished": "2026-06-26T17:52:27.739Z",
        "dateReserved": "2026-05-18T22:25:21.257Z",
        "dateUpdated": "2026-06-26T18:30:08.843Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47204 (GCVE-0-2026-47204)

    Vulnerability from nvd – Published: 2026-06-26 17:37 – Updated: 2026-06-29 13:27
    VLAI
    Title
    Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.26.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47204",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:26:59.898189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:27:03.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.26.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:37:17.376Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6"
            }
          ],
          "source": {
            "advisory": "GHSA-3jxh-8p6x-7pf6",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47204",
        "datePublished": "2026-06-26T17:37:17.376Z",
        "dateReserved": "2026-05-18T22:07:37.436Z",
        "dateUpdated": "2026-06-29T13:27:03.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47774 (GCVE-0-2026-47774)

    Vulnerability from nvd – Published: 2026-06-17 16:58 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: < 1.35.11
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.38.0, < 1.38.1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 2.6     cpe:/a:redhat:service_mesh:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.0     cpe:/a:redhat:service_mesh:3.0::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.1     cpe:/a:redhat:service_mesh:3.1::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.2     cpe:/a:redhat:service_mesh:3.2::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.3     cpe:/a:redhat:service_mesh:3.3::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-17T17:05:51.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/04/15"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47774",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T18:00:56.896750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T18:01:59.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.0::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.1::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-04T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A denial-of-service vulnerability was found in Envoy\u0027s HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately large memory allocations on the server, leading to resource exhaustion and denial of service."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-409",
                    "description": "Improper Handling of Highly Compressed Data (Data Amplification)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:01.079Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-47774"
              },
              {
                "name": "RHBZ#2487465",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487465"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:27114"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26210"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26222"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26231"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26247"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26210: Red Hat OpenShift Service Mesh 3.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26222: Red Hat OpenShift Service Mesh 3.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26231: Red Hat OpenShift Service Mesh 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26247: Red Hat OpenShift Service Mesh 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-04T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-04T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack",
            "workarounds": [
              {
                "lang": "en",
                "value": "See the security bulletin for a detailed mitigation procedure."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy\u0027s HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-405",
                  "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T16:58:36.541Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8"
            }
          ],
          "source": {
            "advisory": "GHSA-22m2-hvr2-xqc8",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47774",
        "datePublished": "2026-06-17T16:58:36.541Z",
        "dateReserved": "2026-05-19T22:36:16.882Z",
        "dateUpdated": "2026-06-30T12:10:01.079Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48090 (GCVE-0-2026-48090)

    Vulnerability from cvelistv5 – Published: 2026-06-26 18:03 – Updated: 2026-06-26 18:03
    VLAI
    Title
    Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object\u2019s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent.  This vulnerability is fixed in 1.37.5 and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:03:05.257Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f"
            }
          ],
          "source": {
            "advisory": "GHSA-3cj2-c63f-q26f",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48090",
        "datePublished": "2026-06-26T18:03:05.257Z",
        "dateReserved": "2026-05-20T18:40:45.833Z",
        "dateUpdated": "2026-06-26T18:03:05.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47220 (GCVE-0-2026-47220)

    Vulnerability from cvelistv5 – Published: 2026-06-26 18:02 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47220",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:26:27.302143Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:26:30.243Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-26T18:02:17.679Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Envoy. A remote attacker can exploit this vulnerability by sending a request with a missing host header when the `%REQUESTED_SERVER_NAME(X:Y)%` is used in the log format and host-related options, such as HOST_FIRST or SNI_FIRST, are specified. This can lead to a crash of the Envoy proxy, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-476",
                    "description": "NULL Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:01.885Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-47220"
              },
              {
                "name": "RHBZ#2493652",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493652"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47220.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-26T19:01:34.167Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-26T18:02:17.679Z",
                "value": "Made public."
              }
            ],
            "title": "envoy: Envoy: Denial of Service via missing host header in specific logging configurations",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it\u0027s possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:02:17.679Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v"
            }
          ],
          "source": {
            "advisory": "GHSA-j9wh-4qfm-wf2v",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47220",
        "datePublished": "2026-06-26T18:02:17.679Z",
        "dateReserved": "2026-05-18T22:25:21.258Z",
        "dateUpdated": "2026-06-30T12:10:01.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47205 (GCVE-0-2026-47205)

    Vulnerability from cvelistv5 – Published: 2026-06-26 18:01 – Updated: 2026-06-27 02:54
    VLAI
    Title
    Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47205",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-27T02:54:07.255044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-27T02:54:47.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy\u0027s ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -\u003e ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_-\u003ecancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:01:07.766Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j"
            }
          ],
          "source": {
            "advisory": "GHSA-mvh9-767w-x47j",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47205",
        "datePublished": "2026-06-26T18:01:07.766Z",
        "dateReserved": "2026-05-18T22:25:21.257Z",
        "dateUpdated": "2026-06-27T02:54:47.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47692 (GCVE-0-2026-47692)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:59 – Updated: 2026-06-26 19:07
    VLAI
    Title
    Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T19:07:31.350962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T19:07:49.683Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:59:38.922Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r"
            }
          ],
          "source": {
            "advisory": "GHSA-wh36-hm39-mm3r",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: PROXY Protocol v2 header generator emits \"skipped\" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47692",
        "datePublished": "2026-06-26T17:59:38.922Z",
        "dateReserved": "2026-05-19T21:18:20.403Z",
        "dateUpdated": "2026-06-26T19:07:49.683Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47207 (GCVE-0-2026-47207)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:52 – Updated: 2026-06-26 18:30
    VLAI
    Title
    Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, Envoy crashes if an ext_proc server sends a single gRPC message containing multiple, specially crafted ProcessingResponse messages. This can occur when the first response in the batch causes the gRPC stream object to be destroyed, leading to a use-after-free error when Envoy attempts to process subsequent responses in the same gRPC message. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47207",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:29:52.628465Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:30:08.843Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, Envoy crashes if an ext_proc server sends a single gRPC message containing multiple, specially crafted ProcessingResponse messages. This can occur when the first response in the batch causes the gRPC stream object to be destroyed, leading to a use-after-free error when Envoy attempts to process subsequent responses in the same gRPC message. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:53:09.174Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv"
            }
          ],
          "source": {
            "advisory": "GHSA-68cv-hq5f-g6xv",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47207",
        "datePublished": "2026-06-26T17:52:27.739Z",
        "dateReserved": "2026-05-18T22:25:21.257Z",
        "dateUpdated": "2026-06-26T18:30:08.843Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48706 (GCVE-0-2026-48706)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:38 – Updated: 2026-06-26 19:05
    VLAI
    Title
    Envoy Heap Buffer Overflow in TcpStatsdSink
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.34.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48706",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T19:05:13.902352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T19:05:30.344Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.34.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy\u0027s TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., \u003e16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB\u2014for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true\u2014the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:38:23.581Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4"
            }
          ],
          "source": {
            "advisory": "GHSA-7q3f-gwg7-j8g4",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy Heap Buffer Overflow in TcpStatsdSink"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48706",
        "datePublished": "2026-06-26T17:38:23.581Z",
        "dateReserved": "2026-05-22T18:47:27.754Z",
        "dateUpdated": "2026-06-26T19:05:30.344Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47204 (GCVE-0-2026-47204)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:37 – Updated: 2026-06-29 13:27
    VLAI
    Title
    Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.26.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47204",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:26:59.898189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:27:03.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.26.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:37:17.376Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6"
            }
          ],
          "source": {
            "advisory": "GHSA-3jxh-8p6x-7pf6",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47204",
        "datePublished": "2026-06-26T17:37:17.376Z",
        "dateReserved": "2026-05-18T22:07:37.436Z",
        "dateUpdated": "2026-06-29T13:27:03.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47221 (GCVE-0-2026-47221)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:35 – Updated: 2026-06-26 18:33
    VLAI
    Title
    Envoy: Null pointer deref in internal redirects
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.3
    Affected: >= 1.37.0, < 1.37.5
    Affected: >= 1.36.0, < 1.36.9
    Affected: >= 1.18.0, < 1.35.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47221",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:33:10.549936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:33:34.507Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.18.0, \u003c 1.35.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:35:29.518Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr"
            }
          ],
          "source": {
            "advisory": "GHSA-rcff-gw58-pjpr",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Null pointer deref in internal redirects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47221",
        "datePublished": "2026-06-26T17:35:29.518Z",
        "dateReserved": "2026-05-18T22:25:21.258Z",
        "dateUpdated": "2026-06-26T18:33:34.507Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48743 (GCVE-0-2026-48743)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:34 – Updated: 2026-06-29 15:20
    VLAI
    Title
    Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.35.0, < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48743",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T15:04:55.378026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T15:20:33.276Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.35.0, \u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request\u0027s body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:34:22.470Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf"
            }
          ],
          "source": {
            "advisory": "GHSA-8phg-2h2q-jgxf",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48743",
        "datePublished": "2026-06-26T17:34:22.470Z",
        "dateReserved": "2026-05-22T19:10:35.747Z",
        "dateUpdated": "2026-06-29T15:20:33.276Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48497 (GCVE-0-2026-48497)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:32 – Updated: 2026-06-26 18:32
    VLAI
    Title
    Envoy: Abnormal process termination in DNS UDP filter
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-480 - Use of Incorrect Operator
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48497",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:32:39.500724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:32:51.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-480",
                  "description": "CWE-480: Use of Incorrect Operator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:32:58.310Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q"
            }
          ],
          "source": {
            "advisory": "GHSA-j6g2-wf95-q66q",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Abnormal process termination in DNS UDP filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48497",
        "datePublished": "2026-06-26T17:32:58.310Z",
        "dateReserved": "2026-05-21T15:33:08.292Z",
        "dateUpdated": "2026-06-26T18:32:51.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48044 (GCVE-0-2026-48044)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:31 – Updated: 2026-06-26 18:31
    VLAI
    Title
    Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.23.0, < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48044",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:31:06.118463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:31:20.280Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.23.0, \u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a  vulnerability has been identified in Envoy\u0027s zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:31:37.602Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg"
            }
          ],
          "source": {
            "advisory": "GHSA-m3p9-47wh-88wg",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48044",
        "datePublished": "2026-06-26T17:31:37.602Z",
        "dateReserved": "2026-05-20T18:15:53.578Z",
        "dateUpdated": "2026-06-26T18:31:20.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48042 (GCVE-0-2026-48042)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:29 – Updated: 2026-06-29 13:27
    VLAI
    Title
    Envoy: Stack overflow in destructor of highly nested JSON
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48042",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:27:35.763864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:27:38.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1124",
                  "description": "CWE-1124: Excessively Deep Nesting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:29:14.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv"
            },
            {
              "name": "https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21"
            }
          ],
          "source": {
            "advisory": "GHSA-f24p-rxw2-g6pv",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Stack overflow in destructor of highly nested JSON"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48042",
        "datePublished": "2026-06-26T17:29:14.964Z",
        "dateReserved": "2026-05-20T18:15:53.578Z",
        "dateUpdated": "2026-06-29T13:27:38.828Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47778 (GCVE-0-2026-47778)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:27 – Updated: 2026-06-27 02:53
    VLAI
    Title
    Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-158 - Improper Neutralization of Null Byte or NUL Character
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47778",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-27T02:52:00.418621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-27T02:53:13.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-158",
                  "description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:27:57.707Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7"
            }
          ],
          "source": {
            "advisory": "GHSA-f8x4-rw5x-f3r7",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47778",
        "datePublished": "2026-06-26T17:27:57.707Z",
        "dateReserved": "2026-05-19T22:36:16.883Z",
        "dateUpdated": "2026-06-27T02:53:13.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47775 (GCVE-0-2026-47775)

    Vulnerability from cvelistv5 – Published: 2026-06-26 17:23 – Updated: 2026-06-29 15:20
    VLAI
    Title
    Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.36.0, < 1.36.7
    Affected: < 1.35.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47775",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T15:05:22.645121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T15:20:39.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter\u0027s encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim\u0027s access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T17:23:51.663Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
            }
          ],
          "source": {
            "advisory": "GHSA-396h-jpq4-vc7p",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47775",
        "datePublished": "2026-06-26T17:23:51.663Z",
        "dateReserved": "2026-05-19T22:36:16.882Z",
        "dateUpdated": "2026-06-29T15:20:39.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47774 (GCVE-0-2026-47774)

    Vulnerability from cvelistv5 – Published: 2026-06-17 16:58 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
    Summary
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    Impacted products
    Vendor Product Version
    envoyproxy envoy Affected: < 1.35.11
    Affected: >= 1.36.0, < 1.36.7
    Affected: >= 1.37.0, < 1.37.3
    Affected: >= 1.38.0, < 1.38.1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 2.6     cpe:/a:redhat:service_mesh:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.0     cpe:/a:redhat:service_mesh:3.0::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.1     cpe:/a:redhat:service_mesh:3.1::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.2     cpe:/a:redhat:service_mesh:3.2::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.3     cpe:/a:redhat:service_mesh:3.3::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-17T17:05:51.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/04/15"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47774",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T18:00:56.896750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T18:01:59.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.0::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.1::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-04T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A denial-of-service vulnerability was found in Envoy\u0027s HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately large memory allocations on the server, leading to resource exhaustion and denial of service."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-409",
                    "description": "Improper Handling of Highly Compressed Data (Data Amplification)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:01.079Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-47774"
              },
              {
                "name": "RHBZ#2487465",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487465"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:27114"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26210"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26222"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26231"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26247"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26210: Red Hat OpenShift Service Mesh 3.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26222: Red Hat OpenShift Service Mesh 3.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26231: Red Hat OpenShift Service Mesh 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26247: Red Hat OpenShift Service Mesh 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-04T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-04T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack",
            "workarounds": [
              {
                "lang": "en",
                "value": "See the security bulletin for a detailed mitigation procedure."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "envoy",
              "vendor": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.35.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.36.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.37.0, \u003c 1.37.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.38.0, \u003c 1.38.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy\u0027s HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-405",
                  "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T16:58:36.541Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8"
            }
          ],
          "source": {
            "advisory": "GHSA-22m2-hvr2-xqc8",
            "discovery": "UNKNOWN"
          },
          "title": "Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47774",
        "datePublished": "2026-06-17T16:58:36.541Z",
        "dateReserved": "2026-05-19T22:36:16.882Z",
        "dateUpdated": "2026-06-30T12:10:01.079Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }