Envoy Gateway CVE-2026-53715
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Network reader on :18002, race condition raises AC:H, tenant RBAC for EnvoyExtensionPolicy sets PR:L, DoS-only impact with no confidentiality or integrity consequence.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
- Pod-network reachability to :18002 (no auth)
- Tenant can create EnvoyExtensionPolicy (baseline)
- Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
- Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)
Description:
httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits - cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.
AnalysisAI
Envoy Gateway's Wasm extension cache HTTP server (port 18002) can be crashed by a tenant-level attacker, causing a cross-tenant control-plane denial of service. The race condition in httpserver.go causes Go's runtime to call runtime.throw upon detecting an unsynchronized concurrent map access - a fatal signal that net/http's per-connection recover cannot intercept - terminating the entire controller process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Four specific preconditions must all be satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.3) is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a pod within a multi-tenant Kubernetes cluster with permission to create EnvoyExtensionPolicy resources simultaneously floods GET requests to the controller's pod-network address on port 18002 (the Wasm cache server) and rapidly creates and updates EnvoyExtensionPolicy objects referencing distinct Wasm URLs. The flood saturates the read goroutine pool while policy churning keeps write goroutines active; when a read and write goroutine access s.mappingPath2Cache concurrently, Go's runtime detects the unsynchronized map access, calls runtime.throw, and terminates the Envoy Gateway controller process, disrupting control-plane operations for all tenants until Kubernetes restarts the pod. |
| Remediation | Upgrade to Envoy Gateway 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments), as confirmed by the vendor advisory GHSA-8fv2-88gg-hm7q at https://github.com/envoyproxy/gateway/security/advisories/GHSA-8fv2-88gg-hm7q. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8fv2-88gg-hm7q