CVE Catalog

CVE-2026-48090

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.58%

44th percentile - higher than 44% of all known CVEs

Summary

In Envoy from version 1.37.0 to 1.37.5 and 1.38.3, the HTTP OAuth2 filter can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can invoke OAuth2Filter methods on a freed object, causing undefined behavior, worker crashes (availability loss), and use-after-free/invalid-vptr failures. This vulnerability is fixed in 1.37.5 and 1.38.3.

Risk Assessment

The organization is exposed to DoS attacks by intentionally triggering worker crashes in Envoy, leading to service disruptions. Potential memory safety issues may enable further deployment-dependent impacts.

Recommendation

Immediately upgrade Envoy to version 1.37.5 or 1.38.3. If an upgrade is not possible, consider temporarily disabling the OAuth2 filter in the configuration.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS