CVE Catalog

CVE-2026-48042

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

In Envoy, an open-source edge and service proxy for cloud-native applications, the destructor of a JSON object causes a stack overflow when deeply nested objects (around 100k levels) are present. The vulnerability affects versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Risk Assessment

An attacker can send a crafted request with deeply nested JSON, causing the Envoy process to crash (DoS) and potentially disrupting network services.

Recommendation

Immediately upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1, depending on your branch.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS