Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a logic error in Envoy’s Zstd decompressor implementation, where a ratio check is performed at the wrong crafted, highly compressed ZSTD payload is decompressed, the algorithm may allocate an enormous amount of memory, far exceeding anticipated limits. This size‑ enables a memory exhaustion scenario that can trigger an Out‑of‑Memory kill of the Envoy process, effectively taking the proxy offline and causing a denial of service for all traffic it routes.

Affected Systems

The affected product is the Envoy open‑source edge and service proxy by envoyproxy. Versions from 1.23.0 through 1.38.1 are vulnerable unless the patch versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are applied. All other releases are not affected.

Risk and Exploitability

Based on the description, it is inferred that the vulnerable vector is remote network traffic: an attacker who can send a crafted, highly compressed ZSTD payload to an Envoy instance with decompression enabled can trigger the memory blow‑up. The CVSS score of 7.5 indicates high severity for availability. The EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not in the CISA KEV catalog, implying no known widespread exploitation. This inference is based on typical exposure patterns for network‑facing services.

Generated by OpenCVE AI on July 6, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to at least version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 where the patch is included.
  • If a quick upgrade is not possible, configure Envoy to disable ZSTD decompression or enforce strict input size limits so that large compressed payloads cannot be processed.
  • Implement monitoring of memory usage and resource limits for the Envoy process, and set alerts for abnormal spikes to detect potential exploitation attempts.

Generated by OpenCVE AI on July 6, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Title Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:31:20.280Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48044

cve-icon Vulnrichment

Updated: 2026-06-26T18:31:14.308Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T17:31:37Z

Links: CVE-2026-48044 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T21:00:14Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)

  • CWE-770

    Allocation of Resources Without Limits or Throttling