CVE-2026-48044 in envoy
Summary
by MITRE • 06/26/2026
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability identified in Envoy's zstd decompressor implementation represents a critical memory exhaustion flaw that affects versions from 1.23.0 through 1.35.10 and specific patch releases up to 1.38.0. This issue resides within the ZstdDecompressorImpl component which handles decompression of zstd compressed data streams. The vulnerability manifests when the proxy processes specially crafted zstd payloads that exploit the decompression algorithm's behavior under extreme compression ratios, leading to disproportionate memory allocation during the decompression process. This flaw falls under the CWE-400 category of Uncontrolled Resource Consumption, specifically targeting memory resources through improper input handling during decompression operations.
The technical exploitation occurs when an attacker crafts a zstd compressed payload that triggers the decompressor to allocate excessive memory buffers beyond normal operational parameters. The decompression algorithm in question does not properly validate or limit the memory allocation required for decompressing highly compressed data, allowing an attacker to feed malformed inputs that cause the proxy to consume massive amounts of memory. This behavior constitutes a classic resource exhaustion attack pattern where computational resources are consumed at an unsustainable rate, ultimately leading to system instability and potential process termination.
The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system availability compromise for Envoy proxy instances. When exploited successfully, the vulnerability can trigger Out-Of-Memory conditions that result in automatic process termination by the operating system's memory management subsystem, commonly known as OOM kills. This creates a denial of service scenario where legitimate traffic cannot be processed due to the proxy being terminated or becoming unresponsive. The attack surface includes any environment where Envoy is configured to handle zstd compressed content, making it particularly dangerous in high-traffic cloud-native environments where memory resources are already constrained.
Mitigation strategies for this vulnerability should focus on immediate deployment of patched versions as recommended by the maintainers, specifically versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 which contain the necessary fixes. Organizations should also implement additional protective measures such as rate limiting for decompression operations, memory limits on proxy processes, and monitoring for unusual memory consumption patterns that could indicate exploitation attempts. The fix likely involves implementing proper bounds checking and memory allocation limits within the zstd decompressor implementation to prevent excessive buffer allocation during decompression operations, aligning with established security practices for preventing resource exhaustion attacks. This vulnerability demonstrates the importance of thorough input validation in compression libraries and highlights the need for robust resource management in proxy implementations that handle potentially malicious content from untrusted sources.