SB2026062440 - Multiple vulnerabilities in envoy

Description

This security bulletin contains information about 14 vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2026-48706)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in TcpStatsdSink when processing exceptionally long statistic names. A remote attacker can send an HTTP or gRPC request with an extremely long request path that is recorded in a statistic name to cause a denial of service or execute arbitrary code.

Only deployments using a TCP-based StatsD sink and emitting client-influenced dynamic statistics are vulnerable, such as when the grpc_stats filter is configured with stats_for_all_methods: true.

2) Input validation error (CVE-ID: CVE-2026-47778)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass host authentication.

The vulnerability exists due to improper input validation in DefaultCertValidator::verifySubjectAltName when validating DNS subject alternative names in upstream TLS certificates. A remote privileged user can present a certificate containing a dNSName SAN with an embedded NUL byte to bypass host authentication.

Only DNS SAN validation is affected. Exploitation requires Envoy to use auto_sni and auto_san_validation for upstream connections, and depends on a trusted certificate authority accepting certificates with embedded NUL characters.

3) Use-after-free (CVE-ID: CVE-2026-48090)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in the HTTP OAuth2 filter when handling a late async token completion after downstream stream teardown. A remote attacker can trigger an OAuth authorization-code flow and terminate the downstream stream before the token response completes to cause a denial of service.

The issue manifests as undefined behavior and worker crashes when the token endpoint request remains in flight after the downstream stream has been torn down.

4) Use-after-free (CVE-ID: CVE-2026-47205)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in the ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. A remote attacker can rapidly create and tear down streams to cause a denial of service.

Exploitation requires the target route to use a per-route ext_authz override with grpc_service or http_service, and the disconnect must occur during the authorization check interval.

5) NULL pointer dereference (CVE-ID: CVE-2026-47204)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the envoy.filters.http.grpc_stats filter when processing Connect protocol requests to direct_response routes. A remote user can send a specially crafted HTTP request with a Connect content-type header to cause a denial of service.

Only deployments that use the grpc_stats filter on direct_response routes are vulnerable. No special payload, gRPC client, or protobuf framing is required.

6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-48743)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to smuggle requests and bypass routing or policy controls.

The vulnerability exists due to inconsistent interpretation of http requests in the downstream HTTP/3 to upstream HTTP/1 translation boundary when processing a headers-only HTTP/3 request with a nonzero Content-Length. A remote attacker can send a specially crafted HTTP/3 request to smuggle requests and bypass routing or policy controls.

Exploitation requires downstream HTTP/3 to be enabled, an upstream HTTP/1 origin that can respond before consuming the declared request body, and reuse of the upstream HTTP/1 connection after that response.

7) Stack-based buffer overflow (CVE-ID: CVE-2026-48042)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in the JSON Object destructor when processing deeply nested JSON input. A remote attacker can send a specially crafted JSON string to cause a denial of service.

The issue is triggered after successful parsing when the resulting object graph is destroyed, and affects uses of the loadFromString method.

8) Resource exhaustion (CVE-ID: CVE-2026-48044)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper control of resource consumption in ZstdDecompressorImpl when processing a specially crafted highly compressed zstd payload. A remote attacker can send a specially crafted compressed request body to cause a denial of service.

Only Envoy instances with zstd decompression enabled are vulnerable. The issue can lead to severe memory exhaustion and out-of-memory termination.

9) Input validation error (CVE-ID: CVE-2026-47692)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote privileged user to inject attacker-controlled bytes into the upstream application stream.

The vulnerability exists due to improper input validation in generateV2Header() in source/extensions/common/proxy_protocol/proxy_protocol_header.cc when generating a PROXY protocol v2 header with pass-through TLVs and added TLVs that exceed the 65535-byte limit. A remote privileged user can supply crafted TLV content that is emitted beyond the advertised header length to inject attacker-controlled bytes into the upstream application stream.

The issue is reachable in configurations that use the listener proxy_protocol filter with pass_through_tlvs together with upstream_proxy_protocol v2 and at least one added_tlvs entry.

10) Input validation error (CVE-ID: CVE-2026-47220)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the %REQUESTED_SERVER_NAME(X:Y)% log format handler when processing requests with a missing host-related header while host fallback options are configured. A remote attacker can send a specially crafted request to cause a denial of service.

Exploitation requires the log format to use %REQUESTED_SERVER_NAME(X:Y)% with host-related fallback options such as HOST_FIRST, SNI_FIRST, or ORIG.

11) NULL pointer dereference (CVE-ID: CVE-2026-47221)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the router filter when handling HTTP 303 internal redirects for body-less non-GET/HEAD requests. A remote attacker can send a specially crafted request to cause a denial of service.

Exploitation requires a route configured with an internal redirect policy that includes 303 in redirect_response_codes, and an upstream response with HTTP 303.

12) Use-after-free (CVE-ID: CVE-2026-47207)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to use-after-free in AsyncStreamImpl::onData() when processing a single gRPC message containing multiple specially crafted ProcessingResponse messages from an ext_proc server. A remote user can send a specially crafted gRPC message to cause a denial of service.

Exploitation requires the ext_proc filter to be configured in the HTTP filter chain.

13) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-47775)

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information and act as the victim.

The vulnerability exists due to use of a broken or risky cryptographic algorithm in the OAuth2 HTTP filter /callback handler and cookie decryption logic when handling crafted CodeVerifier cookies. A remote attacker can send a sequence of specially crafted requests to recover the plaintext PKCE code_verifier and use it to obtain the victim's access token to disclose sensitive information and act as the victim.

User interaction is required for the victim to initiate the OAuth2 login flow, and exploitation requires access to the victim's encrypted CodeVerifier cookie and authorization code.

14) Use of incorrect operator (CVE-ID: CVE-2026-48497)

CWE-ID: CWE-480 - Use of Incorrect Operator

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use of incorrect operator in DNS UDP filter when processing a DNS query containing a name 255 octets long. A remote attacker can send a specially crafted DNS query to cause a denial of service.

Exploitation requires that the DNS filter successfully resolve the queried name.

Remediation

Install update from vendor's website.

References

• https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6
• https://github.com/envoyproxy/envoy/blob/d485ce5563f76740472da3a8744b206b39389af2/source/extensions/filters/http/grpc_stats/grpc_stats_filter.cc#L231
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf
• https://github.com/envoyproxy/envoy/blob/88a627accfac82e9f1fa0467ce1dadbe0f80b216/source/common/quic/envoy_quic_server_stream.cc#L175-L183
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv
• https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r
• https://github.com/envoyproxy/envoy/pull/37591
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v
• https://github.com/envoyproxy/envoy/pull/42659
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p
• https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q