Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The destructor of the JSON Object in Envoy can trigger a stack overflow when processing an object hierarchy that is over 100,000 levels deep. This stack‑based buffer overflow (CWE‑1124) can corrupt control data, causing an Envoy process to terminate unexpectedly. The immediate outcome is a denial of service to any service relying on that Envoy instance.

Affected Systems

Affected versions are Envoy deployments older than 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Any instance that loads deeply nested JSON, such as complex configuration files, can be vulnerable if running those releases.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity for a denial‑of‑service flaw. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation in the wild is uncertain. The likely attack vector is an attacker supplying a deeply nested JSON configuration that is processed by Envoy, causing the stack overflow during object destruction. A malformed configuration could lead to a crash and service disruption.

Generated by OpenCVE AI on June 26, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 or later, which contain the fix that removes the overflow in the JSON destructor.
  • Restart the Envoy instance after the upgrade to ensure the new code is loaded and no stale state remains.
  • Validate or limit the depth of JSON objects in configuration files to avoid large nesting that could trigger the destructor; consider using tools or scripts to enforce a maximum nesting depth before deployment.

Generated by OpenCVE AI on June 26, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Title Envoy: Stack overflow in destructor of highly nested JSON
Weaknesses CWE-1124
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T17:29:14.964Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48042

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:15:08Z

Weaknesses