CVE-2026-48706 in envoy
Summary
by MITRE • 06/26/2026
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability resides within Envoy's TCP StatsD sink implementation, specifically affecting versions from 1.34.0 through 1.35.12, 1.36.8, 1.37.4, and 1.38.2. This issue stems from improper memory management in the thread-local flusher buffer mechanism that handles statistics collection for metrics aggregation. The TcpStatsdSink component utilizes a fixed-size memory slice of 16KiB known as FLUSH_SLICE_SIZE_BYTES to format and transmit metric data to StatsD collectors. When processing exceptionally long statistic names, particularly those exceeding 16KiB in length, the system encounters a critical flaw in its buffer handling logic that can lead to exploitable memory corruption.
The technical flaw manifests when an attacker crafts malicious input that generates statistics with names longer than the reserved buffer capacity. This scenario commonly occurs through HTTP or gRPC requests containing extremely long path parameters that are processed by filters such as grpc_stats when configured with stats_for_all_methods: true. The system attempts to copy these oversized metric names using memcpy operations without proper bounds checking, causing a heap write overflow condition. The buffer rotation mechanism fails to account for the continued allocation of additional fixed-size slices, resulting in memory corruption beyond intended boundaries that corrupts adjacent heap allocations and potentially overwrites critical program data structures.
The operational impact of this vulnerability spans from immediate denial-of-service conditions leading to process crashes to more severe remote code execution possibilities depending on memory layout and exploitation circumstances. The heap overflow can corrupt critical metadata such as function pointers, return addresses, or other runtime structures that would cause the proxy to terminate abruptly or potentially allow arbitrary code execution if carefully crafted. This vulnerability directly impacts cloud-native environments where Envoy serves as edge or service proxies, making it particularly dangerous in production systems where continuous availability and security are paramount. The issue affects any deployment using TCP StatsD sink functionality with configurable statistic name generation that could be influenced by external input.
Mitigation strategies include upgrading to patched versions 1.35.13, 1.36.9, 1.37.5, or 1.38.3 where the buffer handling logic has been corrected to properly account for oversized metric names and implement appropriate bounds checking mechanisms. Organizations should also consider implementing input validation controls that limit the length of statistic names generated by filters, particularly when processing external requests. Additionally, monitoring systems should be enhanced to detect unusual patterns in statistic collection that might indicate exploitation attempts. Security teams must evaluate their current deployments against affected versions and ensure comprehensive testing of patched implementations before rolling out updates to production environments. This vulnerability aligns with CWE-121 heap-based buffer overflow categories and represents a potential ATT&CK technique involving privilege escalation through memory corruption during proxy processing operations.
The root cause analysis reveals fundamental flaws in how the system manages thread-local buffers for metric collection, specifically failing to implement proper bounds checking during memory allocation and copy operations. This type of vulnerability demonstrates the complexity involved in managing memory resources in high-performance systems where efficiency considerations can conflict with security requirements. The vulnerability also highlights the importance of thorough testing for edge cases involving maximum input sizes and the need for rigorous buffer management practices even in well-established open-source components that serve critical infrastructure functions.