Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference in Envoy’s router filter triggers a segmentation fault when handling HTTP 303 (See Other) internal redirects for body‑less non‑GET/HEAD requests. This weakness is a CWE‑476 flaw. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route with an internal_redirect_policy that includes 303, and the upstream backend responds with HTTP 303, the redirect logic attempts to drain a request‑body buffer that was never allocated. The error causes the entire Envoy process to crash, abruptly terminating service and all active connections. This results in a denial‑of‑service condition that can be triggered by an unauthenticated attacker. Based on the description, it is inferred that the attacker must send a body‑less non‑GET/HEAD request to a route configured for internal redirects and that the backend returns a 303 response for the attack to succeed. No privileges or authentication are required. The crash propagates to the whole Envoy instance; therefore, any client or service connected through that proxy receives an immediate disconnection and cannot recover until the process restarts.

Affected Systems

The vulnerability affects the Envoy proxy (envoyproxy:envoy) across a wide range of releases: 1.18.0 through 1.35.13, as well as the releases 1.36.9, 1.37.5, and 1.38.3. Users running any of these versions should prepare to upgrade, as earlier versions contain the vulnerability.

Risk and Exploitability

The CVSS score of 5.9 places this issue in the moderate severity range, but the impact is a full denial of service that can bring down the entire Envoy instance. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no publicly disclosed exploits are known. The attack vector is remote, easily accessible from any network that can reach the Envoy instance. An unauthenticated attacker can trigger the crash by sending an appropriate request, so the risk is high for exposed services.

Generated by OpenCVE AI on June 26, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to version 1.35.13 or later (including 1.36.9, 1.37.5, or 1.38.3).
  • Reconfigure the affected routes to remove or disable the internal_redirect_policy that includes HTTP 303 response codes. If patching is delayed, this prevents the crash scenario.
  • Ensure that any body‑less POST, PUT, DELETE, or PATCH requests are rejected or that a body is mandatory for these methods before the request reaches the internal redirect logic.

Generated by OpenCVE AI on June 26, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a body is sent to a route configured with internal redirect policy that includes 303 in redirect_response_codes, and the upstream responds with HTTP 303, the redirect handling code attempts to drain a request body buffer that was never allocated. This results in a segmentation fault that crashes the entire Envoy process. When route configured with internal_redirect_policy including 303 in redirect_response_codes and upstream must return HTTP 303 response, an unauthenticated attacker can exploit this to cause complete denial of service, terminating all active connections. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Title Envoy: Null pointer deref in internal redirects
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:33:34.507Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47221

cve-icon Vulnrichment

Updated: 2026-06-26T18:33:29.263Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses