Impact
Envoy’s TcpStatsdSink can overflow a heap buffer when processing an exceptionally long statistic name exceeding 16 KiB. The component reserves a single 16 KiB slice per flush, and if a metric’s name would overrun the remaining space it starts a new buffer rotation but mistakenly continues to copy into the original slice with memcpy. The overflow is a classic buffer overflow weakness (CWE‑120, CWE‑787) and can cause the Envoy process to crash or, in certain conditions, corrupt memory enough to enable remote code execution. The vulnerability is triggered by request paths recorded by the grpc_stats filter when statistics are collected for all methods.
Affected Systems
Versions of Envoy from 1.34.0 up through 1.35.13, 1.36.9, 1.37.5, and 1.38.3 are affected. The flaw resides in the TcpStatsdSink component that is activated when the grpc_stats filter records metrics for all methods.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity, but the EPSS score of < 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker could trigger the overflow by sending an HTTP or gRPC request with an excessively long path that is captured by the grpc_stats filter, assuming no other mitigations are in place.
OpenCVE Enrichment