Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Envoy, the open‑source edge and service proxy, contains a null pointer dereference in the grpc_stats filter that triggers a segmentation fault when a Connect protocol request (Content‑Type: application/connect+proto or application/connect+json) is routed to a direct_response endpoint. A single unauthenticated HTTP request is enough to crash the Envoy process, leading to denial of service for all downstream services. The flaw is a classic pointer‑related vulnerability (CWE‑476).

Affected Systems

Envoyproxy Envoy versions that do not yet contain the patch are affected. Notably, all releases from 1.26.0 up to but excluding 1.35.13, 1.36.9, 1.37.5, and 1.38.3 are vulnerable. Any deployment using Envoy prior to those specific fixed releases must evaluate its version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Because the exploit requires only a simple HTTP request with the correct Content‑Type header and does not need authentication, the likelihood of a targeted attack is non‑negligible. The vulnerability is not listed in the CISA KEV catalog and its EPSS score is not available, but the availability impact can be significant for production services that expose unsecured Envoy instances or have direct_response routes enabled.

Generated by OpenCVE AI on June 26, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to at least 1.35.13, 1.36.9, 1.37.5, or 1.38.3, where the grpc_stats filter bug is fixed.
  • If an upgrade is not immediately possible, temporarily disable the grpc_stats filter or remove any direct_response routes that accept Connect protocol requests.
  • Implement network controls to block Connect protocol traffic from reaching Envoy instances that cannot be upgraded and monitor logs for any attempted crashes.

Generated by OpenCVE AI on June 26, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Title Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T17:37:17.376Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47204

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses