CVE Catalog

CVE-2026-47204

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

A vulnerability in the envoy.filters.http.grpc_stats filter causes a null pointer dereference crash in Envoy when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. Affects versions from 1.26.0 through 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Risk Assessment

A single unauthenticated HTTP request can crash the entire Envoy process, causing service disruption and potential DoS attacks on the infrastructure.

Recommendation

Immediately upgrade Envoy to version 1.35.13, 1.36.9, 1.37.5, or 1.38.3. If upgrade is not possible, temporarily disable the grpc_stats filter or block requests with Content-Type: application/connect+proto and application/connect+json on direct_response routes.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS