Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Envoy HTTP OAuth2 filter leaves a pending asynchronous token exchange after the related downstream stream has been torn down. When the async client later completes, the filter still references stream callbacks that have already been destroyed, producing undefined behavior such as use‑after‑free or invalid virtual function pointer dereferences. This causes worker process crashes, leading to a denial of service. The issue is classified as CWE‑416: Use After Free.

Affected Systems

The bug affects Envoy proxy versions 1.37.0 through 1.37.5 and 1.38.3. Versions 1.37.0–1.37.4 and 1.38.0–1.38.2 contain the vulnerable OAuth2 filter; it was addressed in 1.37.5 and 1.38.3.

Risk and Exploitability

The CVSS score of 5.9 places the flaw in the moderate range. No EPSS score is published and the vulnerability is not listed in CISA’s KEV catalog, implying limited known exploitation. The likely attack vector involves manipulating OAuth2 flow to trigger a late async token completion after an HTTP stream has been closed, which would crash the Envoy worker. Remote code execution is not claimed; the impact is primarily availability loss.

Generated by OpenCVE AI on June 26, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Envoy 1.37.5 or later on the 1.37 release line.
  • Upgrade to Envoy 1.38.3 or later on the 1.38 release line.
  • Disable or remove the OAuth2 HTTP filter if it is not required for your traffic, or verify configuration to avoid delayed async token exchanges.

Generated by OpenCVE AI on June 26, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
Title Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:03:05.257Z

Reserved: 2026-05-20T18:40:45.833Z

Link: CVE-2026-48090

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T18:03:05Z

Links: CVE-2026-48090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses