CVE-2026-47204
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk36th percentile — higher than 36% of all known CVEs
Summary
A vulnerability in the envoy.filters.http.grpc_stats filter causes a null pointer dereference crash in Envoy when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. Affects versions from 1.26.0 through 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Risk Assessment
A single unauthenticated HTTP request can crash the entire Envoy process, causing service disruption and potential DoS attacks on the infrastructure.
Recommendation
Immediately upgrade Envoy to version 1.35.13, 1.36.9, 1.37.5, or 1.38.3. If upgrade is not possible, temporarily disable the grpc_stats filter or block requests with Content-Type: application/connect+proto and application/connect+json on direct_response routes.
Original NVD description (English source)
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

