CVE-2026-48042
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
In Envoy, an open-source edge and service proxy for cloud-native applications, the destructor of a JSON object causes a stack overflow when deeply nested objects (around 100k levels) are present. The vulnerability affects versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Risk Assessment
An attacker can send a crafted request with deeply nested JSON, causing the Envoy process to crash (DoS) and potentially disrupting network services.
Recommendation
Immediately upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1, depending on your branch.
Original NVD description (English source)
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

