Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use-After-Free in Envoy's ext_authz HTTP filter can trigger a segmentation fault when per‑route authorization overrides are processed concurrently with rapid client disconnects. The vulnerability causes the filter to overwrite an internal client pointer, leading to a mismatched memory lifecycle that triggers a use‑after‑free during stream teardown. The result is a crash of the Envoy process, exposing the system to a denial‑of‑service condition.

Affected Systems

Envoy Proxy from the Envoy project is affected. Vulnerable versions are 1.36.0 through 1.36.9, 1.37.5, and 1.38.3. All builds that include the ext_authz HTTP filter and support per‑route overrides fall under this risk until they are updated beyond these releases.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity and the score is based on a crash that can be triggered by network traffic that matches a route with a per‑route auth override. The EPSS value is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Because the crash occurs during normal request lifecycle handling and not from malformed data alone, an attacker would most likely target vulnerable Envoy instances by sending high‑volume or burst connections that trigger rapid downstream disconnects. If the environment relies on Envoy for production traffic, the risk is that any such traffic could bring the process down, affecting availability until the service is restarted.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to at least the patched releases (v1.36.9, v1.37.5, or v1.38.3) that contain the fix for this use‑after‑free.
  • If an immediate upgrade is not possible, temporarily disable per‑route ext_authz overrides or remove dynamic override configuration to avoid the vulnerable code path.
  • Deploy monitoring that detects Envoy crashes and configures automatic restarts or alerts administrators to intervene before a full outage occurs.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.
Title Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:01:07.766Z

Reserved: 2026-05-18T22:25:21.257Z

Link: CVE-2026-47205

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T18:01:07Z

Links: CVE-2026-47205 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses