Impact
This vulnerability arises from a logic error in Envoy’s Zstd decompressor implementation, where a ratio check is performed at the wrong crafted, highly compressed ZSTD payload is decompressed, the algorithm may allocate an enormous amount of memory, far exceeding anticipated limits. This size‑ enables a memory exhaustion scenario that can trigger an Out‑of‑Memory kill of the Envoy process, effectively taking the proxy offline and causing a denial of service for all traffic it routes.
Affected Systems
The affected product is the Envoy open‑source edge and service proxy by envoyproxy. Versions from 1.23.0 through 1.38.1 are vulnerable unless the patch versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are applied. All other releases are not affected.
Risk and Exploitability
Based on the description, it is inferred that the vulnerable vector is remote network traffic: an attacker who can send a crafted, highly compressed ZSTD payload to an Envoy instance with decompression enabled can trigger the memory blow‑up. The CVSS score of 7.5 indicates high severity for availability. The EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not in the CISA KEV catalog, implying no known widespread exploitation. This inference is based on typical exposure patterns for network‑facing services.
OpenCVE Enrichment