Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a logic error in Envoy's Zstd decompressor implementation, where a ratio check is performed at the wrong loop depth. When a specially crafted, highly compressed ZSTD payload is decompressed, the algorithm may allocate an enormous amount of memory, far exceeding anticipated limits. The result is a memory exhaustion scenario that can trigger an Out‑of‑Memory kill of the Envoy process, effectively taking the proxy offline and causing a denial of service for all traffic it routes.

Affected Systems

The affected product is the Envoy open‑source edge and service proxy by envoyproxy. Versions from 1.23.0 through 1.38.1 are vulnerable unless the patch versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are applied. All other releases are not affected.

Risk and Exploitability

A CVSS score of 7.5 places the flaw in the high‑severity range, indicating significant impact on availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The likely attack vector is remote; an attacker who can send data to an Envoy instance with ZSTD decompression enabled can craft a malicious payload that triggers the memory blow‑up. Successful exploitation requires only network access to the proxy and can be performed without authentication, making it a serious threat to exposed Envoy deployments.

Generated by OpenCVE AI on June 26, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to at least version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 where the patch is included.
  • If a quick upgrade is not possible, configure Envoy to disable ZSTD decompression or enforce strict input size limits so that large compressed payloads cannot be processed.
  • Implement monitoring of memory usage and resource limits for the Envoy process, and set alerts for abnormal spikes to detect potential exploitation attempts.

Generated by OpenCVE AI on June 26, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Title Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:31:20.280Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48044

cve-icon Vulnrichment

Updated: 2026-06-26T18:31:14.308Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)