Skip to main content

Envoy Gateway CVE-2026-53719

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-16 https://github.com/envoyproxy/gateway GHSA-m2v6-2jmh-4c68
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Kubernetes API access is network-reachable (AV:N); tenant RBAC is required (PR:L); impact is pure persistent availability loss with no confidentiality or integrity consequence (C:N/I:N/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 19:51 vuln.today
Analysis Generated
Jul 16, 2026 - 19:51 vuln.today

DescriptionGitHub Advisory

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant has SecurityPolicy + TCPRoute RBAC (baseline)
  • Tenant namespace permitted to attach TCPRoute to a Gateway listener
  • spec.authorization omitted (the trigger)
  • No admission webhook blocks the shape

Description:

A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.

AnalysisAI

Deterministic nil-pointer dereference in Envoy Gateway's gatewayapi runner allows a low-privileged tenant to permanently stall controller-wide xDS and Infrastructure IR publishing by submitting a single malformed CRD. Any tenant with namespace-scoped RBAC permission to create SecurityPolicy and TCPRoute resources can trigger a panic on every reconcile cycle by omitting the spec.authorization field, requiring administrator intervention to restore control-plane operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain tenant namespace RBAC with SecurityPolicy + TCPRoute rights
Delivery
Create TCPRoute attached to Gateway listener
Exploit
Submit SecurityPolicy targeting TCPRoute with spec.authorization omitted
Execution
Nil-dereference panics gatewayapi runner on reconcile
Persist
recover() unwinds handle() callback
Impact
xDS/Infra IR publishing stalls controller-wide

Vulnerability AssessmentAI

Exploitation Four preconditions must all be satisfied: (1) the tenant namespace must hold RBAC permissions to create both SecurityPolicy and TCPRoute resources, (2) that namespace must be permitted to attach a TCPRoute to a Gateway listener (via ReferenceGrant or equivalent policy), (3) the submitted SecurityPolicy must reference the TCPRoute while omitting the spec.authorization field entirely - not setting it to an empty value - and (4) no admission webhook must be configured to reject this resource shape before it reaches the reconciler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterises the risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious tenant in a multi-tenant Kubernetes cluster submits a SecurityPolicy resource in their permitted namespace that targets a TCPRoute but deliberately omits the spec.authorization field. On each reconcile cycle the gatewayapi runner panics with a nil-pointer dereference, the handle() callback unwinds via recover(), and xDS and Infrastructure IR updates halt cluster-wide - blocking configuration changes for all other tenants simultaneously. …
Remediation Upgrade Envoy Gateway to version 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments) as confirmed by GitHub Security Advisory GHSA-m2v6-2jmh-4c68 at https://github.com/envoyproxy/gateway/security/advisories/GHSA-m2v6-2jmh-4c68. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy