Envoy Gateway CVE-2026-53719
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Kubernetes API access is network-reachable (AV:N); tenant RBAC is required (PR:L); impact is pure persistent availability loss with no confidentiality or integrity consequence (C:N/I:N/A:H).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
- Tenant has SecurityPolicy + TCPRoute RBAC (baseline)
- Tenant namespace permitted to attach TCPRoute to a Gateway listener
- spec.authorization omitted (the trigger)
- No admission webhook blocks the shape
Description:
A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.
AnalysisAI
Deterministic nil-pointer dereference in Envoy Gateway's gatewayapi runner allows a low-privileged tenant to permanently stall controller-wide xDS and Infrastructure IR publishing by submitting a single malformed CRD. Any tenant with namespace-scoped RBAC permission to create SecurityPolicy and TCPRoute resources can trigger a panic on every reconcile cycle by omitting the spec.authorization field, requiring administrator intervention to restore control-plane operations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Four preconditions must all be satisfied: (1) the tenant namespace must hold RBAC permissions to create both SecurityPolicy and TCPRoute resources, (2) that namespace must be permitted to attach a TCPRoute to a Gateway listener (via ReferenceGrant or equivalent policy), (3) the submitted SecurityPolicy must reference the TCPRoute while omitting the spec.authorization field entirely - not setting it to an empty value - and (4) no admission webhook must be configured to reject this resource shape before it reaches the reconciler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterises the risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious tenant in a multi-tenant Kubernetes cluster submits a SecurityPolicy resource in their permitted namespace that targets a TCPRoute but deliberately omits the spec.authorization field. On each reconcile cycle the gatewayapi runner panics with a nil-pointer dereference, the handle() callback unwinds via recover(), and xDS and Infrastructure IR updates halt cluster-wide - blocking configuration changes for all other tenants simultaneously. … |
| Remediation | Upgrade Envoy Gateway to version 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments) as confirmed by GitHub Security Advisory GHSA-m2v6-2jmh-4c68 at https://github.com/envoyproxy/gateway/security/advisories/GHSA-m2v6-2jmh-4c68. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m2v6-2jmh-4c68