Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The destructor of the JSON Object in Envoy can trigger a stack overflow when processing an object hierarchy that is over 100,000 levels deep. This stack-1124, and the known CWE list also includes CWE-776, indicating an additional weakness related to buffer handling. The overflow corrupts control data, causing the Envoy process to terminate unexpectedly. The immediate outcome is a denial of service to any service relying on that Envoy instance.

Affected Systems

Vulnerable versions are those older than Envoy 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Any instance running those older releases that loads deeply nested configuration files can be vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity denial‑of‑service flaw. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation in the wild is uncertain. The likely attack vector is an attacker supplying a deeply nested JSON configuration that is processed by Envoy, causing the stack overflow during object destruction. A malformed configuration could lead to a crash and service disruption.

Generated by OpenCVE AI on July 16, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 or later, which contain the fix that removes the overflow in the JSON destructor.
  • Restart the Envoy instance so the new code is loaded and no stale state remains.
  • Validate or limit the depth of JSON objects in configuration files to avoid large nesting that could trigger tools or scripts to enforce a maximum nesting depth before deployment.

Generated by OpenCVE AI on July 16, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
References
Metrics threat_severity

None

threat_severity

Important


Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Title Envoy: Stack overflow in destructor of highly nested JSON
Weaknesses CWE-1124
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T13:27:38.828Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48042

cve-icon Vulnrichment

Updated: 2026-06-29T13:27:30.522Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T17:29:14Z

Links: CVE-2026-48042 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T13:00:14Z

Weaknesses
  • CWE-1124

    Excessively Deep Nesting

  • CWE-776

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')