Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Envoy’s TcpStatsdSink suffers a heap buffer overflow when a statistic name longer than 16 KiB is processed. The implementation reserves a fixed 16 KiB slice for each flush, and when a metric exceeds the remaining space it rotates but mistakenly allocates another slice before continuing the copy. An attacker who is able to generate a very long statistic name—such as by sending an HTTP or gRPC request with an unusually long path that is recorded by the grpc_stats filter—can trigger the overflow. The overflow can crash the Envoy process (Denial of Service) and, depending on the surrounding code, may allow a remote attacker to achieve remote code execution.

Affected Systems

The vulnerability affects Envoy releases 1.34.0 through 1.35.13, 1.36.9, 1.37.5, and 1.38.3. Any installation of Envoy that includes the TcpStatsdSink component and configures the risk. The impacted vendor is envoyproxy:envoy.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS is not available, yet the flaw is can send a sufficiently long request path. The lack of a CISA KEV listing does not reduce the risk; the flaw remains a known heap corruption risk and is addressed in newer releases. An attacker can potentially exploit the flaw remotely via crafted HTTP or gRPC traffic, assuming no additional defenses are in place.

Generated by OpenCVE AI on June 26, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to a version that includes the fix (1.35.13, 1.36.9, 1.37.5, or 1.38.3 or later).
  • Reconfigure or with stats_for_all_methods set to false, or otherwise limit the length of statistic names that can be recorded.
  • Implement network or application‑layer input validation to reject request paths exceeding a safe length, thereby preventing the creation of overly long statistic names.

Generated by OpenCVE AI on June 26, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Title Envoy Heap Buffer Overflow in TcpStatsdSink
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:05:30.344Z

Reserved: 2026-05-22T18:47:27.754Z

Link: CVE-2026-48706

cve-icon Vulnrichment

Updated: 2026-06-26T19:05:18.309Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')