Main Vulnerability Database Vulnerabilities #VU135107

Use-after-free in envoy - CVE-2026-48090

Published: June 24, 2026

Vulnerability identifier: #VU135107

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48090

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cloud Native Computing Foundation

Affected software:
envoy

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in the HTTP OAuth2 filter when handling a late async token completion after downstream stream teardown. A remote attacker can trigger an OAuth authorization-code flow and terminate the downstream stream before the token response completes to cause a denial of service.

The issue manifests as undefined behavior and worker crashes when the token endpoint request remains in flight after the downstream stream has been torn down.

How to mitigate CVE-2026-48090

Install security update from vendor's website.

Sources

https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f

Use-after-free in envoy - CVE-2026-48090

Detailed vulnerability description

How to mitigate CVE-2026-48090

Sources

Please verify you're human