Skip to main content

Envoy Proxy CVE-2026-47204

| EUVDEUVD-2026-39824 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-26 GitHub_M
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Vendor description states unauthenticated exploitation, overriding official PR:L; pure availability crash, no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Severity Changed
Jun 27, 2026 - 20:37 NVD
MEDIUM HIGH
CVSS changed
Jun 27, 2026 - 20:37 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 26, 2026 - 19:02 EUVD
Analysis Generated
Jun 26, 2026 - 18:36 vuln.today

DescriptionNVD

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

AnalysisAI

The envoy.filters.http.grpc_stats HTTP filter in Envoy versions 1.26.0 through the pre-fix releases crashes with a null pointer dereference when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) is routed to a direct_response route, terminating the Envoy process entirely. The vendor description states a single unauthenticated HTTP request is sufficient to trigger the crash, giving any network-reachable attacker a trivial one-packet denial of service against affected deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP request with Connect Content-Type
Delivery
Match direct_response route with grpc_stats filter active
Exploit
Null pointer dereference in grpc_stats Connect handler
Execution
Envoy worker process crashes (SIGSEGV)
Impact
All proxied traffic dropped until process restart

Vulnerability AssessmentAI

Exploitation Two specific non-default configuration conditions must both be present simultaneously: (1) the envoy.filters.http.grpc_stats HTTP filter must be explicitly configured in the HTTP filter chain, and (2) at least one route within that filter chain must use a direct_response route action rather than forwarding to an upstream cluster. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official NVD score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H reflects a network-exploitable, low-complexity, availability-only impact - but there is a critical discrepancy: the vector assigns PR:L (low privileges required) while the vulnerability description explicitly states 'a single unauthenticated HTTP request crashes the Envoy process.' If unauthenticated exploitation is accurate, the effective score is closer to 7.5 (PR:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies or infers that an Envoy gateway or sidecar proxy has the grpc_stats filter active on a route configured with a direct_response action, then sends a single HTTP GET or POST request to that endpoint with the header Content-Type: application/connect+proto. The grpc_stats filter attempts to record statistics for the Connect protocol request but dereferences a null pointer in the absence of an upstream cluster object, immediately crashing the Envoy worker process. …
Remediation Upgrade Envoy to one of the vendor-confirmed patched releases: 1.35.13, 1.36.9, 1.37.5, or 1.38.3, as documented in GitHub Security Advisory GHSA-3jxh-8p6x-7pf6 at https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Envoy

View all
CVE-2023-27488 CRITICAL POC
9.8 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8

CVE-2019-18802 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2019-18801 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-27493 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27491 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27487 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2020-25017 HIGH POC
8.3 Oct 01

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated

CVE-2019-9900 HIGH POC
8.3 Apr 25

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R

CVE-2026-26308 HIGH POC
7.5 Mar 10

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea

CVE-2024-53270 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-53269 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-45810 HIGH POC
7.5 Sep 20

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

Share

CVE-2026-47204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy