CVE Catalog

CVE-2026-48044

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile — higher than 37% of all known CVEs

Summary

In Envoy from version 1.23.0 to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability was found in the zstd decompressor implementation (ZstdDecompressorImpl). Processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause memory exhaustion, resulting in an OOM kill and Denial of Service (DoS) for the Envoy proxy.

Risk Assessment

The risk is the ability to remotely trigger memory exhaustion in the Envoy proxy server, leading to service disruption and potentially the entire network infrastructure. The attack does not require authentication and can be performed by sending a crafted request.

Recommendation

Immediately upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1, depending on the branch used. If an upgrade is not possible, temporarily disable zstd decompression in the proxy configuration.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS