Skip to main content

Envoy Gateway CVE-2026-53715

MEDIUM
Race Condition (CWE-362)
2026-07-16 https://github.com/envoyproxy/gateway GHSA-8fv2-88gg-hm7q
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

Network reader on :18002, race condition raises AC:H, tenant RBAC for EnvoyExtensionPolicy sets PR:L, DoS-only impact with no confidentiality or integrity consequence.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 19:52 vuln.today
Analysis Generated
Jul 16, 2026 - 19:52 vuln.today

DescriptionGitHub Advisory

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Pod-network reachability to :18002 (no auth)
  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
  • Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)

Description:

httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits - cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.

AnalysisAI

Envoy Gateway's Wasm extension cache HTTP server (port 18002) can be crashed by a tenant-level attacker, causing a cross-tenant control-plane denial of service. The race condition in httpserver.go causes Go's runtime to call runtime.throw upon detecting an unsynchronized concurrent map access - a fatal signal that net/http's per-connection recover cannot intercept - terminating the entire controller process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain EnvoyExtensionPolicy RBAC permission
Delivery
Gain pod-network access to controller :18002
Exploit
Flood GET requests to Wasm cache endpoint
Install
Simultaneously churn EnvoyExtensionPolicy with distinct Wasm URLs
C2
Race read goroutine against write goroutine on plain map
Execute
Go runtime.throw terminates controller process
Impact
Control-plane DoS affects all tenants

Vulnerability AssessmentAI

Exploitation Four specific preconditions must all be satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.3) is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a pod within a multi-tenant Kubernetes cluster with permission to create EnvoyExtensionPolicy resources simultaneously floods GET requests to the controller's pod-network address on port 18002 (the Wasm cache server) and rapidly creates and updates EnvoyExtensionPolicy objects referencing distinct Wasm URLs. The flood saturates the read goroutine pool while policy churning keeps write goroutines active; when a read and write goroutine access s.mappingPath2Cache concurrently, Go's runtime detects the unsynchronized map access, calls runtime.throw, and terminates the Envoy Gateway controller process, disrupting control-plane operations for all tenants until Kubernetes restarts the pod.
Remediation Upgrade to Envoy Gateway 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments), as confirmed by the vendor advisory GHSA-8fv2-88gg-hm7q at https://github.com/envoyproxy/gateway/security/advisories/GHSA-8fv2-88gg-hm7q. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-53715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy