Envoy Proxy: Eleven Vulnerabilities Disclosed Together, Targeting DoS and Memory Corruption
Eleven vulnerabilities disclosed together for the Envoy proxy on June 26, 2026, include denial-of-service, memory corruption, and security bypass flaws.

Key findings
- Eleven vulnerabilities in Envoy disclosed on June 26, 2026, span DoS, memory corruption, and security bypasses.
- Use-after-free bugs in OAuth2 filter and ext_authz, plus a heap overflow, pose risks of crashes and RCE.
- Multiple denial-of-service flaws target specific request handling, data payloads, and logging configurations.
- Security policy bypass via HTTP/3 to HTTP/1 translation and information disclosure via certificates are also present.
- The batch includes CVE-2026-48090, CVE-2026-47220, CVE-2026-47205, CVE-2026-47692, CVE-2026-48706, CVE-2026-47204, CVE-2026-47221, CVE-2026-48743, CVE-2026-48044, CVE-2026-48042, and CVE-2026-47778.
- Administrators should monitor for official patches and review configurations related to filters, protocol handling, and data processing.
On June 26, 2026, a batch of eleven vulnerabilities was disclosed for the Envoy proxy, spanning a range of severities from moderate to important. These vulnerabilities, all disclosed within a single hour, highlight several areas of concern including denial of service, memory corruption, and security policy bypasses. The disclosures collectively underscore the importance of timely patching and configuration review for systems relying on Envoy for network traffic management.
Several vulnerabilities in this batch relate to denial of service (DoS) attacks. CVE-2026-47220 and CVE-2026-47204 present DoS risks through specific request handling, with CVE-2026-47220 exploiting a missing host header in certain logging configurations, and CVE-2026-47204 concerning the Connect protocol. Additionally, CVE-2026-48044 and CVE-2026-48042 allow for DoS through specially crafted zstd payloads and deeply nested JSON objects, respectively. These issues could allow an attacker to disrupt service availability by overwhelming the proxy with malformed or resource-intensive data.
Memory corruption vulnerabilities were also prominent in this disclosure batch. CVE-2026-48090 and CVE-2026-47205 involve use-after-free (UAF) conditions during stream teardown within the OAuth2 filter and the ext_authz component, respectively. These UAF flaws can lead to crashes and potential remote code execution. Furthermore, CVE-2026-48706 describes a heap buffer overflow in the TcpStatsxSink, which could also be leveraged for denial of service or more severe impacts. CVE-2026-47221 points to a null pointer dereference in internal redirects, another potential cause of crashes.
Security policy bypasses and information disclosure are also addressed in this set of CVEs. CVE-2026-48743 details a request desynchronization vulnerability that can bypass security policies when translating HTTP/3 to HTTP/1 traffic. This could allow attackers to circumvent access controls or other security measures. Separately, CVE-2026-47778 describes an information disclosure vulnerability related to malicious certificates containing NUL bytes in the DNS Subject Alternative Name (SAN), which could potentially reveal sensitive information. CVE-2026-47692 involves a PROXY Protocol v2 header generator flaw that could lead to an attacker-controlled spillover into the upstream application stream.
The rapid, same-day disclosure of these eleven vulnerabilities emphasizes the need for prompt attention from Envoy administrators. While specific patch versions were not detailed in the initial disclosures, users are advised to consult the official Envoy security advisories and apply updates as soon as they become available. Proactive monitoring of Envoy's security posture and regular review of configurations, especially those related to OAuth2, ext_authz, logging, and protocol handling, are crucial to mitigate the risks posed by these vulnerabilities.
This batch of vulnerabilities, disclosed on June 26, 2026, affects the Envoy proxy. The eleven CVEs, ranging in severity, include multiple denial-of-service flaws, use-after-free bugs, heap buffer overflows, a null pointer dereference, a security policy bypass, and an information disclosure vulnerability. The tight disclosure window suggests a coordinated release of security findings, highlighting potential systemic weaknesses that require immediate attention from users and administrators.
Key findings from this disclosure event include:
- Multiple denial-of-service vulnerabilities (CVE-2026-47220, CVE-2026-47204, CVE-2026-48044, CVE-2026-48042) exploit specific request handling and data processing flaws.
- Use-after-free vulnerabilities (CVE-2026-48090, CVE-2026-47205) and a heap buffer overflow (CVE-2026-48706) pose risks of crashes and potential remote code execution.
- A security policy bypass (CVE-2026-48743) arises from HTTP/3 to HTTP/1 translation issues.
- Information disclosure is possible via malformed certificates (CVE-2026-47778) and a PROXY Protocol v2 flaw (CVE-2026-47692).
- A null pointer dereference (CVE-2026-47221) in internal redirects can lead to service instability.
- All eleven vulnerabilities were disclosed on the same day, June 26, 2026, indicating a significant security event for Envoy users.